Veracode Vulnerability DatabaseVERACODE:37581Denial Of Service (DoS)
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
18.0%
istio is vulnerable to denial of service. The vulnerability is due to the Kubernetes validating or mutating webhook service being exposed to the public, allowing a malicious attacker to send a specially crafted oversized message resulting in a crash to the control plane.
References
github.com/istio/istio/commit/5389c48e5e309a23d4d748b182ca58a68298994e
github.com/istio/istio/commit/7b2c7decf835d0210f905d09e312e7ea4c95ed6b
github.com/istio/istio/commit/c5c841dae26e84b50c226cd809ea80b95eac6c95
github.com/istio/istio/pull/41296
github.com/istio/istio/pull/41297
github.com/istio/istio/pull/41298
github.com/istio/istio/security/advisories/GHSA-86vr-4wcv-mm9w
github.com/kubernetes-sigs/gateway-api/pull/1439
istio.io/latest/news/releases/1.13.x/announcing-1.13.9/
istio.io/latest/news/releases/1.15.x/announcing-1.15.2/
istio.io/news/releases/1.14.x/announcing-1.14.5/
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
18.0%