Filtered by vendor Redhat Subscriptions
Filtered by product Service Mesh Subscriptions
Total 171 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2022-23635 2 Istio, Redhat 2 Istio, Service Mesh 2024-08-03 7.5 High
Istio is an open platform to connect, manage, and secure microservices. In affected versions the Istio control plane, `istiod`, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted message which results in the control plane crashing. This endpoint is served over TLS port 15012, but does not require any authentication from the attacker. For simple installations, Istiod is typically only reachable from within the cluster, limiting the blast radius. However, for some deployments, especially [multicluster](https://istio.io/latest/docs/setup/install/multicluster/primary-remote/) topologies, this port is exposed over the public internet. There are no effective workarounds, beyond upgrading. Limiting network access to Istiod to the minimal set of clients can help lessen the scope of the vulnerability to some extent.
CVE-2022-23606 2 Envoyproxy, Redhat 2 Envoy, Service Mesh 2024-08-03 4.4 Medium
Envoy is an open source edge and service proxy, designed for cloud-native applications. When a cluster is deleted via Cluster Discovery Service (CDS) all idle connections established to endpoints in that cluster are disconnected. A recursion was introduced in the procedure of disconnecting idle connections that can lead to stack exhaustion and abnormal process termination when a cluster has a large number of idle connections. This infinite recursion causes Envoy to crash. Users are advised to upgrade.
CVE-2022-21655 2 Envoyproxy, Redhat 2 Envoy, Service Mesh 2024-08-03 7.5 High
Envoy is an open source edge and service proxy, designed for cloud-native applications. The envoy common router will segfault if an internal redirect selects a route configured with direct response or redirect actions. This will result in a denial of service. As a workaround turn off internal redirects if direct response entries are configured on the same listener.
CVE-2022-21654 2 Envoyproxy, Redhat 2 Envoy, Service Mesh 2024-08-03 7.4 High
Envoy is an open source edge and service proxy, designed for cloud-native applications. Envoy's tls allows re-use when some cert validation settings have changed from their default configuration. The only workaround for this issue is to ensure that default tls settings are used. Users are advised to upgrade.
CVE-2022-3962 2 Kiali, Redhat 6 Kiali, Enterprise Linux, Enterprise Linux For Ibm Z Systems and 3 more 2024-08-03 4.3 Medium
A content spoofing vulnerability was found in Kiali. It was discovered that Kiali does not implement error handling when the page or endpoint being accessed cannot be found. This issue allows an attacker to perform arbitrary text injection when an error response is retrieved from the URL being accessed.
CVE-2022-2880 2 Golang, Redhat 20 Go, Acm, Ceph Storage and 17 more 2024-08-03 7.5 High
Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.
CVE-2022-2879 2 Golang, Redhat 16 Go, Container Native Virtualization, Devtools and 13 more 2024-08-03 7.5 High
Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB.
CVE-2022-1962 2 Golang, Redhat 16 Go, Acm, Application Interconnect and 13 more 2024-08-03 5.5 Medium
Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations.
CVE-2022-1705 2 Golang, Redhat 22 Go, Acm, Application Interconnect and 19 more 2024-08-03 6.5 Medium
Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid.
CVE-2022-1650 3 Debian, Eventsource, Redhat 11 Debian Linux, Eventsource, Ceph Storage and 8 more 2024-08-03 8.1 High
Improper Removal of Sensitive Information Before Storage or Transfer in GitHub repository eventsource/eventsource prior to v2.0.2.
CVE-2022-0536 2 Follow-redirects Project, Redhat 7 Follow-redirects, Acm, Openshift Data Foundation and 4 more 2024-08-02 2.6 Low
Improper Removal of Sensitive Information Before Storage or Transfer in NPM follow-redirects prior to 1.14.8.
CVE-2022-0235 4 Debian, Node-fetch Project, Redhat and 1 more 14 Debian Linux, Node-fetch, Acm and 11 more 2024-08-02 6.1 Medium
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
CVE-2024-28849 1 Redhat 11 Advanced Cluster Security, Ansible Automation Platform, Logging and 8 more 2024-08-02 6.5 Medium
follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2023-39325 4 Fedoraproject, Golang, Netapp and 1 more 53 Fedora, Go, Http2 and 50 more 2024-08-02 7.5 High
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.
CVE-2024-42460 2 Elliptic Project, Redhat 4 Elliptic, Acm, Multicluster Engine and 1 more 2024-08-02 5.3 Medium
In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because there is a missing check for whether the leading bit of r and s is zero.
CVE-2024-42459 2 Elliptic Project, Redhat 4 Elliptic, Acm, Multicluster Engine and 1 more 2024-08-02 5.3 Medium
In the Elliptic package 6.5.6 for Node.js, EDDSA signature malleability occurs because there is a missing signature length check, and thus zero-valued bytes can be removed or appended.
CVE-2023-27496 2 Envoyproxy, Redhat 2 Envoy, Service Mesh 2024-08-02 6.5 Medium
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, the OAuth filter assumes that a `state` query param is present on any response that looks like an OAuth redirect response. Sending it a request with the URI path equivalent to the redirect path, without the `state` parameter, will lead to abnormal termination of Envoy process. Versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9 contain a patch. The issue can also be mitigated by locking down OAuth traffic, disabling the filter, or by filtering traffic before it reaches the OAuth filter (e.g. via a lua script).
CVE-2023-27491 2 Envoyproxy, Redhat 2 Envoy, Service Mesh 2024-08-02 5.4 Medium
Envoy is an open source edge and service proxy designed for cloud-native applications. Compliant HTTP/1 service should reject malformed request lines. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, There is a possibility that non compliant HTTP/1 service may allow malformed requests, potentially leading to a bypass of security policies. This issue is fixed in versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9.
CVE-2023-27492 2 Envoyproxy, Redhat 2 Envoy, Service Mesh 2024-08-02 4.8 Medium
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, the Lua filter is vulnerable to denial of service. Attackers can send large request bodies for routes that have Lua filter enabled and trigger crashes. As of versions versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, Envoy no longer invokes the Lua coroutine if the filter has been reset. As a workaround for those whose Lua filter is buffering all requests/ responses, mitigate by using the buffer filter to avoid triggering the local reply in the Lua filter.
CVE-2023-27493 2 Envoyproxy, Redhat 2 Envoy, Service Mesh 2024-08-02 8.1 High
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, Envoy does not sanitize or escape request properties when generating request headers. This can lead to characters that are illegal in header values to be sent to the upstream service. In the worst case, it can cause upstream service to interpret the original request as two pipelined requests, possibly bypassing the intent of Envoy’s security policy. Versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9 contain a patch. As a workaround, disable adding request headers based on the downstream request properties, such as downstream certificate properties.