{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Istio before 1.1.13 and 1.2.x before 1.2.4 mishandles regular expressions for long URIs, leading to a denial of service during use of the JWT, VirtualService, HTTPAPISpecBinding, or QuotaSpecBinding API."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-08-13T17:38:39.000Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://discuss.istio.io/t/upcoming-security-updates-in-istio-1-2-4-and-1-1-13/3383"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/envoyproxy/envoy/issues/7728"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://istio.io/blog/2019/istio-security-003-004/"}, {"tags": ["x_refsource_MISC"], "url": "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=86164"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-14993", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Istio before 1.1.13 and 1.2.x before 1.2.4 mishandles regular expressions for long URIs, leading to a denial of service during use of the JWT, VirtualService, HTTPAPISpecBinding, or QuotaSpecBinding API."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://discuss.istio.io/t/upcoming-security-updates-in-istio-1-2-4-and-1-1-13/3383", "refsource": "MISC", "url": "https://discuss.istio.io/t/upcoming-security-updates-in-istio-1-2-4-and-1-1-13/3383"}, {"name": "https://github.com/envoyproxy/envoy/issues/7728", "refsource": "MISC", "url": "https://github.com/envoyproxy/envoy/issues/7728"}, {"name": "https://istio.io/blog/2019/istio-security-003-004/", "refsource": "CONFIRM", "url": "https://istio.io/blog/2019/istio-security-003-004/"}, {"name": "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=86164", "refsource": "MISC", "url": "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=86164"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T00:34:53.164Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://discuss.istio.io/t/upcoming-security-updates-in-istio-1-2-4-and-1-1-13/3383"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/envoyproxy/envoy/issues/7728"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://istio.io/blog/2019/istio-security-003-004/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=86164"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-14993", "datePublished": "2019-08-13T17:38:39.000Z", "dateReserved": "2019-08-13T00:00:00.000Z", "dateUpdated": "2024-08-05T00:34:53.164Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*", "matchCriteriaId": "20977A28-2513-4FD5-9673-AAA6D9EC8F9F", "versionEndExcluding": "1.1.13", "vulnerable": true}, {"criteria": "cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*", "matchCriteriaId": "FA158720-95C9-40E5-B5E6-D9243ADCC3C2", "versionEndExcluding": "1.2.4", "versionStartIncluding": "1.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Istio before 1.1.13 and 1.2.x before 1.2.4 mishandles regular expressions for long URIs, leading to a denial of service during use of the JWT, VirtualService, HTTPAPISpecBinding, or QuotaSpecBinding API."}, {"lang": "es", "value": "Istio antes de 1.1.13 y 1.2.x antes de 1.2.4 maneja mal las expresiones regulares para URI largos, lo que lleva a una denegaci\u00f3n de servicio durante el uso de la API JWT, VirtualService, HTTPAPISpecBinding o QuotaSpecBinding."}], "id": "CVE-2019-14993", "lastModified": "2024-11-21T04:27:50.113", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-08-13T18:15:13.117", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://discuss.istio.io/t/upcoming-security-updates-in-istio-1-2-4-and-1-1-13/3383"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=86164"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/envoyproxy/envoy/issues/7728"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://istio.io/blog/2019/istio-security-003-004/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://discuss.istio.io/t/upcoming-security-updates-in-istio-1-2-4-and-1-1-13/3383"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=86164"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/envoyproxy/envoy/issues/7728"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://istio.io/blog/2019/istio-security-003-004/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-185"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHEA-2020:1416", "cpe": "cpe:/a:redhat:service_mesh:1.1::el7", "package": "kiali-0:v1.12.7.redhat1-1.el7", "product_name": "Openshift Service Mesh 1.1", "release_date": "2020-04-08T00:00:00Z"}, {"advisory": "RHEA-2020:1416", "cpe": "cpe:/a:redhat:service_mesh:1.1::el8", "package": "ior-0:1.1.0-3.el8", "product_name": "OpenShift Service Mesh 1.1", "release_date": "2020-04-08T00:00:00Z"}, {"advisory": "RHEA-2020:1416", "cpe": "cpe:/a:redhat:service_mesh:1.1::el8", "package": "servicemesh-0:1.1.0-5.el8", "product_name": "OpenShift Service Mesh 1.1", "release_date": "2020-04-08T00:00:00Z"}, {"advisory": "RHEA-2020:1416", "cpe": "cpe:/a:redhat:service_mesh:1.1::el8", "package": "servicemesh-cni-0:1.1.0-3.el8", "product_name": "OpenShift Service Mesh 1.1", "release_date": "2020-04-08T00:00:00Z"}, {"advisory": "RHEA-2020:1416", "cpe": "cpe:/a:redhat:service_mesh:1.1::el8", "package": "servicemesh-grafana-0:6.4.3-2.el8", "product_name": "OpenShift Service Mesh 1.1", "release_date": "2020-04-08T00:00:00Z"}, {"advisory": "RHEA-2020:1416", "cpe": "cpe:/a:redhat:service_mesh:1.1::el8", "package": "servicemesh-operator-0:1.1.0-9.el8", "product_name": "OpenShift Service Mesh 1.1", "release_date": "2020-04-08T00:00:00Z"}, {"advisory": "RHEA-2020:1416", "cpe": "cpe:/a:redhat:service_mesh:1.1::el8", "package": "servicemesh-prometheus-0:2.14.0-3.el8", "product_name": "OpenShift Service Mesh 1.1", "release_date": "2020-04-08T00:00:00Z"}, {"advisory": "RHEA-2020:1416", "cpe": "cpe:/a:redhat:service_mesh:1.1::el8", "package": "servicemesh-proxy-0:1.1.0-4.el8", "product_name": "OpenShift Service Mesh 1.1", "release_date": "2020-04-08T00:00:00Z"}], "bugzilla": {"description": "istio/envoy: mishandling regular expressions for long URIs leading to DoS", "id": "1759816", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1759816"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-185", "details": ["Istio before 1.1.13 and 1.2.x before 1.2.4 mishandles regular expressions for long URIs, leading to a denial of service during use of the JWT, VirtualService, HTTPAPISpecBinding, or QuotaSpecBinding API.", "A flaw was found in Istio in versions prior to 1.1.13 and 1.2.4. Regular expressions for long URIs are mishandled leading to a denial of service during the use of JWT, VirtualService, HTTPAPISpecBinding, or QuotaSpecBinding API. The highest threat from this vulnerability is to system availability."], "name": "CVE-2019-14993", "public_date": "2019-10-09T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-14993\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-14993\nhttps://istio.io/news/2019/istio-security-003-004/"], "threat_severity": "Important"}

{}