{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier may consume excessive amounts of memory when processing HTTP/1.1 headers with long field names or requests with long URLs."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-07-01T14:33:47", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/envoyproxy/envoy-setec/issues/137"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-fjxc-jj43-f777"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-12605", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier may consume excessive amounts of memory when processing HTTP/1.1 headers with long field names or requests with long URLs."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/envoyproxy/envoy-setec/issues/137", "refsource": "MISC", "url": "https://github.com/envoyproxy/envoy-setec/issues/137"}, {"name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-fjxc-jj43-f777", "refsource": "CONFIRM", "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-fjxc-jj43-f777"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T12:04:21.600Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/envoyproxy/envoy-setec/issues/137"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-fjxc-jj43-f777"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-12605", "datePublished": "2020-07-01T14:33:47", "dateReserved": "2020-05-01T00:00:00", "dateUpdated": "2024-08-04T12:04:21.600Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "matchCriteriaId": "FA8EC70B-A398-42FC-84C1-4892D07787F5", "versionEndIncluding": "1.12.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:envoyproxy:envoy:1.13.2:*:*:*:*:*:*:*", "matchCriteriaId": "6FEA6763-6AEC-4081-A4AD-7C0D9C716AE5", "vulnerable": true}, {"criteria": "cpe:2.3:a:envoyproxy:envoy:1.14.2:*:*:*:*:*:*:*", "matchCriteriaId": "AC44FC52-B495-46D3-B5FC-2B5B5D214102", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier may consume excessive amounts of memory when processing HTTP/1.1 headers with long field names or requests with long URLs."}, {"lang": "es", "value": "Envoy versiones 1.14.2, 1.13.2, 1.12.4 o anteriores, puede consumir cantidades excesivas de memoria cuando se procesan encabezados HTTP/1.1 con nombres de campo largos o peticiones con las URL largas"}], "id": "CVE-2020-12605", "lastModified": "2021-07-21T11:39:23.747", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-07-01T15:15:12.983", "references": [{"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "https://github.com/envoyproxy/envoy-setec/issues/137"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-fjxc-jj43-f777"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank the Envoy security team for reporting this issue.", "affected_release": [{"advisory": "RHSA-2020:2864", "cpe": "cpe:/a:redhat:service_mesh:1.0::el8", "package": "servicemesh-proxy-0:1.0.11-1.el8", "product_name": "OpenShift Service Mesh 1.0", "release_date": "2020-07-07T00:00:00Z"}, {"advisory": "RHSA-2020:2798", "cpe": "cpe:/a:redhat:service_mesh:1.1::el8", "package": "servicemesh-proxy-0:1.1.4-2.el8", "product_name": "OpenShift Service Mesh 1.1", "release_date": "2020-07-01T00:00:00Z"}], "bugzilla": {"description": "envoy: Resource exhaustion when processing HTTP/1.1 headers with long field names", "id": "1844252", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1844252"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": ["Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier may consume excessive amounts of memory when processing HTTP/1.1 headers with long field names or requests with long URLs.", "An uncontrolled resource consumption vulnerability was found in Envoy. This flaw allows an attacker to craft many HTTP requests with long field names or URLs to cause the proxy to consume excessive amounts of memory, potentially resulting in a denial of service. The highest threat from this vulnerability is to system availability."], "name": "CVE-2020-12605", "public_date": "2020-06-30T19:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-12605\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-12605\nhttps://istio.io/latest/news/security/istio-security-2020-007/"], "threat_severity": "Important", "upstream_fix": "envoy 1.14.2"}