Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
istio istio vulnerabilities and exploits
(subscribe to this query)
7.3
CVSSv3
CVE-2020-8595
Istio versions 1.2.10 (End of Life) and prior, 1.3 up to and including 1.3.7, and 1.4 up to and including 1.4.3 allows authentication bypass. The Authentication Policy exact-path matching logic can allow unauthorized access to HTTP paths even if they are configured to be only acc...
Istio Istio
Redhat Openshift Service Mesh 1.0
8.8
CVSSv3
CVE-2020-14306
An incorrect access control flaw was found in the operator, openshift-service-mesh/istio-rhel8-operator all versions up to and including 1.1.3. This flaw allows an attacker with a basic level of access to the cluster to deploy a custom gateway/pod to any namespace, potentially ga...
Istio-operator Project Istio-operator
7.5
CVSSv3
CVE-2019-18836
Envoy 1.12.0 allows a remote denial of service because of resource loops, as demonstrated by a single idle TCP connection being able to keep a worker thread in an infinite busy loop when continue_on_listener_filters_timeout is used."
Envoyproxy Envoy 1.12.0
Istio Istio
6.5
CVSSv3
CVE-2019-25014
A NULL pointer dereference was found in pkg/proxy/envoy/v2/debug.go getResourceVersion in Istio pilot prior to 1.5.0-alpha.0. If a particular HTTP GET request is made to the pilot API endpoint, it is possible to cause the Go runtime to panic (resulting in a denial of service to t...
Istio Istio
Redhat Openshift Service Mesh 1.0
8.3
CVSSv3
CVE-2019-9900
When parsing HTTP/1.x header values, Envoy 1.9.0 and before does not reject embedded zero characters (NUL, ASCII 0x0). This allows remote attackers crafting header values containing embedded NUL characters to potentially bypass header matching rules, gaining access to unauthorize...
Envoyproxy Envoy
Redhat Openshift Service Mesh -
1 Github repository
10
CVSSv3
CVE-2019-9901
Envoy 1.9.0 and before does not normalize HTTP URL paths. A remote attacker may craft a relative path, e.g., something/../admin, to bypass access control, e.g., a block on /admin. A backend server could then interpret the non-normalized path and provide an attacker access beyond ...
Envoyproxy Envoy
1 Github repository
7.8
CVSSv3
CVE-2020-1704
An insecure modification vulnerability in the /etc/passwd file was found in all versions of OpenShift ServiceMesh (maistra) prior to 1.0.8 in the openshift/istio-kialia-rhel7-operator-container. An attacker with access to the container could use this flaw to modify /etc/passwd an...
Redhat Openshift Service Mesh
8.6
CVSSv3
CVE-2020-1764
A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions before 1.15.1. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining privileges t...
Kiali Kiali
Redhat Openshift Service Mesh 1.0
1 Github repository
8.6
CVSSv3
CVE-2020-1762
An insufficient JWT validation vulnerability was found in Kiali versions 0.4.0 to 1.15.0 and was fixed in Kiali version 1.15.1, wherein a remote attacker could abuse this flaw by stealing a valid JWT cookie and using that to spoof a user session, possibly gaining privileges to vi...
Kiali Kiali
Redhat Openshift Service Mesh 1.0
7.5
CVSSv3
CVE-2021-28682
An issue exists in Envoy up to and including 1.71.1. There is a remotely exploitable integer overflow in which a very large grpc-timeout value leads to unexpected timeout calculations.
Envoyproxy Envoy 1.14.6
Envoyproxy Envoy 1.15.3
Envoyproxy Envoy 1.16.2
Envoyproxy Envoy 1.17.1
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-30310
CVE-2024-21683
CVE-2024-22187
chrome
deserialization
XPath injection
CVE-2024-27842
denial of service
CVE-2024-24851
google
CVE-2024-35400
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
1
2
3
4
5
NEXT »