Veracode Vulnerability DatabaseVERACODE:33223Denial Of Service (DoS)
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
servicemesh is vulnerable to denial of service. The vulnerability exists due to a lack of check on the envoys procedure for resetting a HTTP/2 stream has O(N^2) complexity.
References
access.redhat.com/errata/RHEA-2021:4051
bugzilla.redhat.com/show_bug.cgi?id=1996946
github.com/envoyproxy/envoy/security/advisories/GHSA-3xh3-33v5-chcc
github.com/envoyproxy/envoy/security/advisories/GHSA-3xh3-33v5-chcc
istio.io/latest/news/security/istio-security-2021-008/
www.envoyproxy.io/docs/envoy/v1.19.0/version_history/version_history
www.envoyproxy.io/docs/envoy/v1.19.0/version_history/version_history
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P