Filtered by vendor Redhat Subscriptions
Filtered by product Service Mesh Subscriptions
Total 190 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2023-35945 3 Envoyproxy, Nghttp2, Redhat 3 Envoy, Nghttp2, Service Mesh 2024-11-21 7.5 High
Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy’s HTTP/2 codec may leak a header map and bookkeeping structures upon receiving `RST_STREAM` immediately followed by the `GOAWAY` frames from an upstream server. In nghttp2, cleanup of pending requests due to receipt of the `GOAWAY` frame skips de-allocation of the bookkeeping structure and pending compressed header. The error return [code path] is taken if connection is already marked for not sending more requests due to `GOAWAY` frame. The clean-up code is right after the return statement, causing memory leak. Denial of service through memory exhaustion. This vulnerability was patched in versions(s) 1.26.3, 1.25.8, 1.24.9, 1.23.11.
CVE-2023-35944 2 Envoyproxy, Redhat 2 Envoy, Service Mesh 2024-11-21 8.2 High
Envoy is an open source edge and service proxy designed for cloud-native applications. Envoy allows mixed-case schemes in HTTP/2, however, some internal scheme checks are case-sensitive. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, this can lead to the rejection of requests with mixed-case schemes such as `htTp` or `htTps`, or the bypassing of some requests such as `https` in unencrypted connections. With a fix in versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, Envoy will now lowercase scheme values by default, and change the internal scheme checks that were case-sensitive to be case-insensitive. There are no known workarounds for this issue.
CVE-2023-35943 2 Envoyproxy, Redhat 2 Envoy, Service Mesh 2024-11-21 6.3 Medium
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, the CORS filter will segfault and crash Envoy when the `origin` header is removed and deleted between `decodeHeaders`and `encodeHeaders`. Versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12 have a fix for this issue. As a workaround, do not remove the `origin` header in the Envoy configuration.
CVE-2023-35942 2 Envoyproxy, Redhat 2 Envoy, Service Mesh 2024-11-21 6.5 Medium
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, gRPC access loggers using listener's global scope can cause a `use-after-free` crash when the listener is drained. Versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12 have a fix for this issue. As a workaround, disable gRPC access log or stop listener update.
CVE-2023-35941 2 Envoyproxy, Redhat 2 Envoy, Service Mesh 2024-11-21 8.6 High
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, a malicious client is able to construct credentials with permanent validity in some specific scenarios. This is caused by the some rare scenarios in which HMAC payload can be always valid in OAuth2 filter's check. Versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12 have a fix for this issue. As a workaround, avoid wildcards/prefix domain wildcards in the host's domain configuration.
CVE-2022-3962 2 Kiali, Redhat 6 Kiali, Enterprise Linux, Enterprise Linux For Ibm Z Systems and 3 more 2024-11-21 4.3 Medium
A content spoofing vulnerability was found in Kiali. It was discovered that Kiali does not implement error handling when the page or endpoint being accessed cannot be found. This issue allows an attacker to perform arbitrary text injection when an error response is retrieved from the URL being accessed.
CVE-2022-32189 2 Golang, Redhat 13 Go, Ceph Storage, Container Native Virtualization and 10 more 2024-11-21 7.5 High
A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service.
CVE-2022-32148 2 Golang, Redhat 19 Go, Acm, Application Interconnect and 16 more 2024-11-21 6.5 Medium
Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For header.
CVE-2022-30635 2 Golang, Redhat 15 Go, Acm, Ceph Storage and 12 more 2024-11-21 7.5 High
Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures.
CVE-2022-30633 2 Golang, Redhat 14 Go, Acm, Application Interconnect and 11 more 2024-11-21 7.5 High
Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag.
CVE-2022-30632 2 Golang, Redhat 18 Go, Acm, Application Interconnect and 15 more 2024-11-21 7.5 High
Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path containing a large number of path separators.
CVE-2022-30630 2 Golang, Redhat 17 Go, Acm, Application Interconnect and 14 more 2024-11-21 7.5 High
Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which contains a large number of path separators.
CVE-2022-30629 2 Golang, Redhat 15 Go, Acm, Ceph Storage and 12 more 2024-11-21 3.1 Low
Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.
CVE-2022-29526 5 Fedoraproject, Golang, Linux and 2 more 15 Fedora, Go, Linux Kernel and 12 more 2024-11-21 5.3 Medium
Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.
CVE-2022-28327 3 Fedoraproject, Golang, Redhat 20 Extra Packages For Enterprise Linux, Fedora, Go and 17 more 2024-11-21 7.5 High
The generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1.18.x before 1.18.1 allows a panic via long scalar input.
CVE-2022-28131 4 Fedoraproject, Golang, Netapp and 1 more 16 Fedora, Go, Cloud Insights Telegraf and 13 more 2024-11-21 7.5 High
Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document.
CVE-2022-27664 3 Fedoraproject, Golang, Redhat 19 Fedora, Go, Acm and 16 more 2024-11-21 7.5 High
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
CVE-2022-25858 2 Redhat, Terser 4 Acm, Service Mesh, Service Registry and 1 more 2024-11-21 5.3 Medium
The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.
CVE-2022-24921 4 Debian, Golang, Netapp and 1 more 11 Debian Linux, Go, Astra Trident and 8 more 2024-11-21 7.5 High
regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested expression.
CVE-2022-24675 4 Fedoraproject, Golang, Netapp and 1 more 17 Fedora, Go, Kubernetes Monitoring Operator and 14 more 2024-11-21 7.5 High
encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount of PEM data.