Latest istio istio Vulnerabilities

CVE-2023-44487
- Rapid Reset HTTP/2 vulnerability
Microsoft Windows 11=21H2
Microsoft Windows 11=21H2
Microsoft Windows Server 2022
Microsoft Windows Server 2022
Microsoft Windows 11=22H2
Microsoft Windows 11=22H2
and 556 more
CVE-2022-39388
Istio is an open platform to connect, manage, and secure microservices. In versions on the 1.15.x branch prior to 1.15.3, a user can impersonate any workload identity within the service mesh if they h...
Istio Istio>=1.15.0<=1.15.2
CVE-2022-39278
An uncontrolled resource consumption flaw was found in the Istio control plane, istiod. This issue could allow an unauthenticated remote attacker to send a specially crafted or oversized message that ...
redhat/Istio<1.15.2
redhat/Istio<1.14.5
redhat/Istio<1.13.9
Istio Istio<1.13.9
Istio Istio>=1.14.0<1.14.5
Istio Istio>=1.15.0<1.15.2
CVE-2022-31045
A flaw was found in Istio. Memory access violation of ill-formed headers sent to Envoy in certain configurations can lead to unexpected memory access, resulting in undefined behavior or crashing.
redhat/servicemesh<0:2.1.3-1.el8
redhat/Istio<1.12.8
redhat/Istio<1.13.5
redhat/Istio<1.14.1
Istio Istio<1.12.8
Istio Istio>=1.13.0<1.13.5
and 1 more
CVE-2022-24726
A stack exhaustion flaw was found in the Istio control plane. This flaw allows a remote unauthenticated attacker to send a specially crafted or oversized message to crash the control plane process, re...
redhat/servicemesh<0:2.0.9-3.el8
redhat/servicemesh<0:2.1.2-4.el8
redhat/istio<1.11.8
redhat/istio<1.12.5
redhat/istio<1.13.2
Istio Istio<1.11.8
and 2 more
CVE-2022-23635
A flaw was found in istio. This flaw allows an attacker to send a specially crafted message to isitiod, causing the control plane to crash.
redhat/servicemesh<0:2.0.9-3.el8
redhat/servicemesh<0:2.1.2-4.el8
redhat/Istio<1.13.1
redhat/Istio<1.12.4
redhat/Istio<1.11.7
Istio Istio<1.11.7
and 2 more
CVE-2022-21701
Istio is an open platform to connect, manage, and secure microservices. In versions 1.12.0 and 1.12.1 Istio is vulnerable to a privilege escalation attack. Users who have `CREATE` permission for `gate...
Istio Istio=1.12.0
Istio Istio=1.12.0-alpha0
Istio Istio=1.12.0-alpha1
Istio Istio=1.12.0-alpha5
Istio Istio=1.12.0-beta0
Istio Istio=1.12.0-beta1
and 3 more
CVE-2022-21679
Istio is an open platform to connect, manage, and secure microservices. In Istio 1.12.0 and 1.12.1 The authorization policy with hosts and notHosts might be accidentally bypassed for ALLOW action or r...
Istio Istio=1.12.0
Istio Istio=1.12.0-alpha0
Istio Istio=1.12.0-alpha1
Istio Istio=1.12.0-alpha5
Istio Istio=1.12.0-beta0
Istio Istio=1.12.0-beta1
and 3 more
CVE-2021-39156
Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. Istio 1.11.0, 1.10.3 a...
Istio Istio<1.9.8
Istio Istio>=1.10.0<1.10.3
Istio Istio>=1.11.0<1.11.1
CVE-2021-39155
Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. According to [RFC 4343...
Istio Istio<1.9.8
Istio Istio>=1.10.0<1.10.4
Istio Istio>=1.11.0<1.11.1
CVE-2021-34824
Istio (1.8.x, 1.9.0-1.9.5 and 1.10.0-1.10.1) contains a remotely exploitable vulnerability where credentials specified in the Gateway and DestinationRule credentialName field can be accessed from diff...
Istio Istio>=1.8.0<1.9.6
Istio Istio>=1.10.0<1.10.2
CVE-2021-31921
Istio before 1.8.6 and 1.9.x before 1.9.5 contains a remotely exploitable vulnerability where an external client can access unexpected services in the cluster, bypassing authorization checks, when a g...
Istio Istio<1.8.6
Istio Istio>=1.9.0<1.9.5
CVE-2021-31920
Istio before 1.8.6 and 1.9.x before 1.9.5 has a remotely exploitable vulnerability where an HTTP request path with multiple slashes or escaped slash characters (%2F or %5C) could potentially bypass an...
go/istio.io/istio>=1.9.0<=1.9.4
go/istio.io/istio<1.8.6
Istio Istio<1.8.6
Istio Istio>=1.9.0<1.9.5
CVE-2019-25014
A NULL pointer dereference was found in pkg/proxy/envoy/v2/debug.go getResourceVersion in Istio pilot before 1.5.0-alpha.0. If a particular HTTP GET request is made to the pilot API endpoint, it is po...
redhat/istio<1.5.0
Istio Istio<=1.4.9
Redhat Openshift Service Mesh=1.0
CVE-2020-16844
In Istio 1.5.0 though 1.5.8 and Istio 1.6.0 through 1.6.7, when users specify an AuthorizationPolicy resource with DENY actions using wildcard suffixes (e.g. *-some-suffix) for source principals or na...
go/istio.io/istio>=1.6.0<1.6.8
go/istio.io/istio>=1.5.0<1.5.9
Microsoft Windows Server 2022>=1.5.0<=1.5.8
Microsoft Windows Server 2022>=1.6.0<=1.6.7
CVE-2020-10739
Istio 1.4.x before 1.4.9 and Istio 1.5.x before 1.5.4 contain the following vulnerability when telemetry v2 is enabled: by sending a specially crafted packet, an attacker could trigger a Null Pointer ...
Istio Istio>=1.4.0<1.4.9
Istio Istio>=1.5.0<1.5.4
CVE-2020-11767
Istio through 1.5.1 and Envoy through 1.14.1 have a data-leak issue. If there is a TCP connection (negotiated with SNI over HTTPS) to *.example.com, a request for a domain concurrently configured expl...
Envoyproxy Envoy<=1.14.1
Istio Istio<=1.5.1
CVE-2020-8843
An issue was discovered in Istio 1.3 through 1.3.6. Under certain circumstances, it is possible to bypass a specifically configured Mixer policy. Istio-proxy accepts the x-istio-attributes header at i...
Istio Istio>=1.3.0<=1.3.6
CVE-2020-8595
Istio versions 1.2.10 (End of Life) and prior, 1.3 through 1.3.7, and 1.4 through 1.4.3 allows authentication bypass. The Authentication Policy exact-path matching logic can allow unauthorized access ...
redhat/istio<1.3.8
redhat/istio<1.4.4
Istio Istio>=1.3<=1.3.7
Istio Istio>=1.4.0<=1.4.3
Redhat Openshift Service Mesh=1.0
Redhat Enterprise Linux=8.0
CVE-2019-18817
Istio 1.3.x before 1.3.5 allows Denial of Service because continue_on_listener_filters_timeout is set to True, a related issue to CVE-2019-18836.
go/istio.io/istio>=1.3.0<1.3.5
Istio Istio>=1.3<1.3.5
CVE-2019-18836
Envoy 1.12.0 allows a remote denial of service because of resource loops, as demonstrated by a single idle TCP connection being able to keep a worker thread in an infinite busy loop when continue_on_l...
Envoyproxy Envoy=1.12.0
Istio Istio>=1.3.0<=1.3.3
CVE-2019-14993
Istio before 1.1.13 and 1.2.x before 1.2.4 mishandles regular expressions for long URIs, leading to a denial of service during use of the JWT, VirtualService, HTTPAPISpecBinding, or QuotaSpecBinding A...
go/istio.io/istio>=1.2.0<1.2.4
go/istio.io/istio<1.1.13
Istio Istio<1.1.13
Istio Istio>=1.2.0<1.2.4
CVE-2019-12995
Istio before 1.2.2 mishandles certain access tokens, leading to "Epoch 0 terminated with an error" in Envoy. This is related to a jwt_authenticator.cc segmentation fault.
Istio Istio<1.2.2
CVE-2019-12243
Istio 1.1.x through 1.1.6 has Incorrect Access Control.
go/istio.io/istio>=1.1.0<1.1.7
Istio Istio>=1.1<=1.1.6

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203