pio1006 / envoy Goto Github PK
View Code? Open in Web Editor NEWThis project forked from nextdoor/envoy
Cloud-native high-performance edge/middle/service proxy
Home Page: https://www.envoyproxy.io
License: Apache License 2.0
This project forked from nextdoor/envoy
Cloud-native high-performance edge/middle/service proxy
Home Page: https://www.envoyproxy.io
License: Apache License 2.0
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, Envoy does not sanitize or escape request properties when generating request headers. This can lead to characters that are illegal in header values to be sent to the upstream service. In the worst case, it can cause upstream service to interpret the original request as two pipelined requests, possibly bypassing the intent of Envoy’s security policy. Versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9 contain a patch. As a workaround, disable adding request headers based on the downstream request properties, such as downstream certificate properties.
Publish Date: 2023-04-04
URL: CVE-2023-27493
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-w5w5-487h-qv8q
Release Date: 2023-04-04
Fix Resolution: v1.22.9,v1.23.6,v1.24.4,v1.25.3
protoc plugin to generate polyglot message validators
Library home page: https://proxy.golang.org/github.com/envoyproxy/protoc-gen-validate/@v/v0.1.0.zip
Dependency Hierarchy:
Found in HEAD commit: d853fd7abd23b213e8ecb1eded4fd77944aa8ed5
Found in base branch: main
The html package (aka x/net/html) through 2018-09-25 in Go mishandles , leading to a "panic: runtime error" (index out of range) in (*nodeStack).pop in node.go, called from (*parser).clearActiveFormattingElements, during an html.Parse call.
Publish Date: 2018-10-01
URL: CVE-2018-17847
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-17847
Release Date: 2018-10-01
Fix Resolution: golang-golang-x-net-dev - 1:0.0+git20181201.351d144+dfsg-3
No project description provided
Path to dependency file: /examples/grpc-bridge/client/requirements.txt
Path to vulnerable library: /examples/grpc-bridge/client/requirements.txt
Dependency Hierarchy:
Found in base branch: main
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.
Publish Date: 2022-09-22
URL: CVE-2022-1941
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-8gq9-2x98-w8hf
Release Date: 2022-09-22
Fix Resolution: 3.18.3
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, the OAuth filter assumes that a state
query param is present on any response that looks like an OAuth redirect response. Sending it a request with the URI path equivalent to the redirect path, without the state
parameter, will lead to abnormal termination of Envoy process. Versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9 contain a patch. The issue can also be mitigated by locking down OAuth traffic, disabling the filter, or by filtering traffic before it reaches the OAuth filter (e.g. via a lua script).
Publish Date: 2023-04-04
URL: CVE-2023-27496
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-j79q-2g66-2xv5
Release Date: 2023-04-04
Fix Resolution: v1.22.9,v1.23.6,v1.24.4,v1.25.3
[mirror] Go supplementary network libraries
Library home page: https://proxy.golang.org/github.com/golang/net/@v/v0.0.0-20190403144856-b630fd6fe46b.zip
Path to dependency file: /examples/ext_authz/auth/grpc-service/go.mod
Path to vulnerable library: /examples/ext_authz/auth/grpc-service/go.mod
Dependency Hierarchy:
[mirror] Go supplementary network libraries
Library home page: https://proxy.golang.org/github.com/golang/net/@v/v0.0.0-20200301022130-244492dfa37a.zip
Path to dependency file: /examples/load-reporting-service/go.mod
Path to vulnerable library: /examples/load-reporting-service/go.mod
Dependency Hierarchy:
Found in base branch: main
A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.
Publish Date: 2023-01-13
URL: CVE-2022-41721
Base Score Metrics:
Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 the OAuth filter would try to invoke the remaining filters in the chain after emitting a local response, which triggers an ASSERT() in newer versions and corrupts memory on earlier versions. continueDecoding() shouldn’t ever be called from filters after a local reply has been sent. Users are advised to upgrade. There are no known workarounds for this issue.
Publish Date: 2022-06-09
URL: CVE-2022-29228
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-rww6-8h7g-8jf6
Release Date: 2022-06-09
Fix Resolution: v1.21.3,v1.22.1
protoc plugin to generate polyglot message validators
Library home page: https://proxy.golang.org/github.com/envoyproxy/protoc-gen-validate/@v/v0.1.0.zip
Dependency Hierarchy:
Found in HEAD commit: d853fd7abd23b213e8ecb1eded4fd77944aa8ed5
Found in base branch: main
An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.
Publish Date: 2021-01-11
URL: CVE-2021-3121
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3121
Release Date: 2021-01-11
Fix Resolution: v1.3.2
protoc plugin to generate polyglot message validators
Library home page: https://proxy.golang.org/github.com/envoyproxy/protoc-gen-validate/@v/v0.1.0.zip
Dependency Hierarchy:
Found in HEAD commit: d853fd7abd23b213e8ecb1eded4fd77944aa8ed5
Found in base branch: main
The html package (aka x/net/html) through 2018-09-25 in Go mishandles , leading to a "panic: runtime error" (index out of range) in (*insertionModeStack).pop in node.go, called from inHeadIM, during an html.Parse call.
Publish Date: 2018-10-01
URL: CVE-2018-17848
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-17848
Release Date: 2018-10-01
Fix Resolution: golang-golang-x-net-dev - 1:0.0+git20181201.351d144+dfsg-3
The Go language implementation of gRPC. HTTP/2 based RPC
Library home page: https://proxy.golang.org/github.com/grpc/grpc-go/@v/v1.25.1.zip
Path to dependency file: /examples/ext_authz/auth/grpc-service/go.mod
Path to vulnerable library: /examples/ext_authz/auth/grpc-service/go.mod,/examples/load-reporting-service/go.mod
Dependency Hierarchy:
Found in base branch: main
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Publish Date: 2023-10-10
URL: CVE-2023-44487
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-44487
Release Date: 2023-10-10
Fix Resolution: org.eclipse.jetty.http2:http2-server:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-server:12.0.2, org.eclipse.jetty.http2:http2-common:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-common:12.0.2, nghttp - v1.57.0, swift-nio-http2 - 1.28.0, io.netty:netty-codec-http2:4.1.100.Final, trafficserver - 9.2.3, org.apache.tomcat:tomcat-coyote:8.5.94,9.0.81,10.1.14, org.apache.tomcat.embed:tomcat-embed-core:8.5.94,9.0.81,10.1.14, Microsoft.AspNetCore.App - 6.0.23,7.0.12, contour - v1.26.1, proxygen - v2023.10.16.00, grpc-go - v1.56.3,v1.57.1,v1.58.3, kubernetes/kubernetes - v1.25.15,v1.26.10,v1.27.7,v1.28.3,v1.29.0, kubernetes/apimachinery - v0.25.15,v0.26.10,v0.27.7,v0.28.3,v0.29.0
Fork of Envoy used for testing and tinkering as part of the Istio dev process
Library home page: https://github.com/istio/envoy.git
Found in base branch: main
Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions when ext-authz extension is sending request headers to the external authorization service it must merge multiple value headers according to the HTTP spec. However, only the last header value is sent. This may allow specifically crafted requests to bypass authorization. Attackers may be able to escalate privileges when using ext-authz extension or back end service that uses multiple value headers for authorization. A specifically constructed request may be delivered by an untrusted downstream peer in the presence of ext-authz extension. Envoy versions 1.19.1, 1.18.4, 1.17.4, 1.16.5 contain fixes to the ext-authz extension to correctly merge multiple request header values, when sending request for authorization.
Publish Date: 2021-08-24
URL: CVE-2021-32777
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-6g4j-5vrw-2m8h
Release Date: 2021-08-24
Fix Resolution: 1.16.5, 1.17.4, 1.18.4, 1.19.1
[mirror] Go supplementary network libraries
Library home page: https://proxy.golang.org/github.com/golang/net/@v/v0.0.0-20200301022130-244492dfa37a.zip
Path to dependency file: /examples/load-reporting-service/go.mod
Path to vulnerable library: /examples/load-reporting-service/go.mod
Dependency Hierarchy:
[mirror] Go supplementary network libraries
Library home page: https://proxy.golang.org/github.com/golang/net/@v/v0.0.0-20190403144856-b630fd6fe46b.zip
Path to dependency file: /examples/ext_authz/auth/grpc-service/go.mod
Path to vulnerable library: /examples/ext_authz/auth/grpc-service/go.mod
Dependency Hierarchy:
Found in base branch: main
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
Publish Date: 2022-09-06
URL: CVE-2022-27664
Base Score Metrics:
Type: Upgrade version
Origin: https://pkg.go.dev/vuln/GO-2022-0969
Release Date: 2022-09-06
Fix Resolution: golang.org/x/net - 0.0.0-20220906165146-f3363e06e74c, go1.18.6, go1.19.1
[mirror] Go supplementary network libraries
Library home page: https://proxy.golang.org/github.com/golang/net/@v/v0.0.0-20200301022130-244492dfa37a.zip
Path to dependency file: /examples/load-reporting-service/go.mod
Path to vulnerable library: /examples/load-reporting-service/go.mod
Dependency Hierarchy:
[mirror] Go supplementary network libraries
Library home page: https://proxy.golang.org/github.com/golang/net/@v/v0.0.0-20190403144856-b630fd6fe46b.zip
Path to dependency file: /examples/ext_authz/auth/grpc-service/go.mod
Path to vulnerable library: /examples/ext_authz/auth/grpc-service/go.mod
Dependency Hierarchy:
Found in HEAD commit: d853fd7abd23b213e8ecb1eded4fd77944aa8ed5
Found in base branch: main
golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.
Publish Date: 2021-05-26
URL: CVE-2021-33194
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33194
Release Date: 2021-05-26
Fix Resolution: golang.org/x/net - v0.0.0-20210520170846-37e1c6afe023
[mirror] Go supplementary network libraries
Library home page: https://proxy.golang.org/github.com/golang/net/@v/v0.0.0-20200301022130-244492dfa37a.zip
Path to dependency file: /examples/load-reporting-service/go.mod
Path to vulnerable library: /examples/load-reporting-service/go.mod
Dependency Hierarchy:
[mirror] Go supplementary network libraries
Library home page: https://proxy.golang.org/github.com/golang/net/@v/v0.0.0-20190403144856-b630fd6fe46b.zip
Path to dependency file: /examples/ext_authz/auth/grpc-service/go.mod
Path to vulnerable library: /examples/ext_authz/auth/grpc-service/go.mod
Dependency Hierarchy:
Found in base branch: main
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
Publish Date: 2022-09-06
URL: CVE-2022-27664
Base Score Metrics:
Type: Upgrade version
Origin: https://pkg.go.dev/vuln/GO-2022-0969
Release Date: 2022-09-06
Fix Resolution: golang.org/x/net - 0.0.0-20220906165146-f3363e06e74c, go1.18.6, go1.19.1
[mirror] Go supplementary network libraries
Library home page: https://proxy.golang.org/github.com/golang/net/@v/v0.0.0-20190403144856-b630fd6fe46b.zip
Path to dependency file: /examples/ext_authz/auth/grpc-service/go.mod
Path to vulnerable library: /examples/ext_authz/auth/grpc-service/go.mod
Dependency Hierarchy:
[mirror] Go supplementary network libraries
Library home page: https://proxy.golang.org/github.com/golang/net/@v/v0.0.0-20200301022130-244492dfa37a.zip
Path to dependency file: /examples/load-reporting-service/go.mod
Path to vulnerable library: /examples/load-reporting-service/go.mod
Dependency Hierarchy:
Found in HEAD commit: d853fd7abd23b213e8ecb1eded4fd77944aa8ed5
Found in base branch: main
A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.
Publish Date: 2023-01-13
URL: CVE-2022-41721
Base Score Metrics:
Fork of Envoy used for testing and tinkering as part of the Istio dev process
Library home page: https://github.com/istio/envoy.git
Found in HEAD commit: d853fd7abd23b213e8ecb1eded4fd77944aa8ed5
Found in base branch: main
Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions when ext-authz extension is sending request headers to the external authorization service it must merge multiple value headers according to the HTTP spec. However, only the last header value is sent. This may allow specifically crafted requests to bypass authorization. Attackers may be able to escalate privileges when using ext-authz extension or back end service that uses multiple value headers for authorization. A specifically constructed request may be delivered by an untrusted downstream peer in the presence of ext-authz extension. Envoy versions 1.19.1, 1.18.4, 1.17.4, 1.16.5 contain fixes to the ext-authz extension to correctly merge multiple request header values, when sending request for authorization.
Publish Date: 2021-08-24
URL: CVE-2021-32777
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-6g4j-5vrw-2m8h
Release Date: 2021-08-24
Fix Resolution: 1.16.5, 1.17.4, 1.18.4, 1.19.1
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, the client may bypass JSON Web Token (JWT) checks and forge fake original paths. The header x-envoy-original-path
should be an internal header, but Envoy does not remove this header from the request at the beginning of request processing when it is sent from an untrusted client. The faked header would then be used for trace logs and grpc logs, as well as used in the URL used for jwt_authn
checks if the jwt_authn
filter is used, and any other upstream use of the x-envoy-original-path header. Attackers may forge a trusted x-envoy-original-path
header. Versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9 have patches for this issue.
Publish Date: 2023-04-04
URL: CVE-2023-27487
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-5375-pq35-hf2g
Release Date: 2023-04-04
Fix Resolution: v1.22.9,v1.23.6,v1.24.4,v1.25.3
Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 the OAuth filter implementation does not include a mechanism for validating access tokens, so by design when the HMAC signed cookie is missing a full authentication flow should be triggered. However, the current implementation assumes that access tokens are always validated thus allowing access in the presence of any access token attached to the request. Users are advised to upgrade. There is no known workaround for this issue.
Publish Date: 2022-06-09
URL: CVE-2022-29226
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-h45c-2f94-prxh
Release Date: 2022-06-09
Fix Resolution: v1.21.3,v1.22.1
Python package for providing Mozilla's CA Bundle.
Library home page: https://files.pythonhosted.org/packages/05/1b/0a0dece0e8aa492a6ec9e4ad2fe366b511558cdc73fd3abc82ba7348e875/certifi-2021.5.30-py2.py3-none-any.whl
Path to dependency file: /examples/grpc-bridge/client/requirements.txt
Path to vulnerable library: /examples/grpc-bridge/client/requirements.txt
Dependency Hierarchy:
Found in base branch: main
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store.
Publish Date: 2023-07-25
URL: CVE-2023-37920
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-xqr8-7jwr-rhp7
Release Date: 2023-07-25
Fix Resolution (certifi): 2023.7.22
Direct dependency fix Resolution (requests): 2.27.0
[mirror] Go packages for low-level interaction with the operating system
Library home page: https://proxy.golang.org/github.com/golang/sys/@v/v0.0.0-20190502141530-050d97668623.zip
Path to dependency file: /examples/load-reporting-service/go.mod
Path to vulnerable library: /examples/load-reporting-service/go.mod
Dependency Hierarchy:
[mirror] Go packages for low-level interaction with the operating system
Library home page: https://proxy.golang.org/github.com/golang/sys/@v/v0.0.0-20190302025430-12036c158aa7.zip
Path to dependency file: /examples/ext_authz/auth/grpc-service/go.mod
Path to vulnerable library: /examples/ext_authz/auth/grpc-service/go.mod
Dependency Hierarchy:
Found in base branch: main
Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.
Publish Date: 2022-06-23
URL: CVE-2022-29526
Base Score Metrics:
Type: Upgrade version
Origin: https://security-tracker.debian.org/tracker/CVE-2022-29526
Release Date: 2022-06-23
Fix Resolution: go1.17.10,go1.18.2,go1.19
Python HTTP for Humans.
Library home page: https://files.pythonhosted.org/packages/92/96/144f70b972a9c0eabbd4391ef93ccd49d0f2747f4f6a2a2738e99e5adc65/requests-2.26.0-py2.py3-none-any.whl
Path to dependency file: /examples/grpc-bridge/client/requirements.txt
Path to vulnerable library: /examples/grpc-bridge/client/requirements.txt
Dependency Hierarchy:
Found in base branch: main
Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use rebuild_proxies
to reattach the Proxy-Authorization
header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the Proxy-Authorization
header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.
Publish Date: 2023-05-26
URL: CVE-2023-32681
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-j8r2-6x86-q33q
Release Date: 2023-05-26
Fix Resolution: 2.32.0
[mirror] Go supplementary network libraries
Library home page: https://proxy.golang.org/github.com/golang/net/@v/v0.0.0-20200301022130-244492dfa37a.zip
Path to dependency file: /examples/load-reporting-service/go.mod
Path to vulnerable library: /examples/load-reporting-service/go.mod
Dependency Hierarchy:
[mirror] Go supplementary network libraries
Library home page: https://proxy.golang.org/github.com/golang/net/@v/v0.0.0-20190403144856-b630fd6fe46b.zip
Path to dependency file: /examples/ext_authz/auth/grpc-service/go.mod
Path to vulnerable library: /examples/ext_authz/auth/grpc-service/go.mod
Dependency Hierarchy:
Found in base branch: main
net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.
Publish Date: 2021-05-27
URL: CVE-2021-31525
Base Score Metrics:
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1958341
Release Date: 2021-05-27
Fix Resolution: golang - v1.15.12,v1.16.4,v1.17.0
[mirror] Go text processing support
Library home page: https://proxy.golang.org/github.com/golang/text/@v/v0.3.0.zip
Path to dependency file: /examples/load-reporting-service/go.mod
Path to vulnerable library: /examples/load-reporting-service/go.mod,/examples/ext_authz/auth/grpc-service/go.mod
Dependency Hierarchy:
Found in HEAD commit: d853fd7abd23b213e8ecb1eded4fd77944aa8ed5
Found in base branch: main
golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.
Publish Date: 2022-12-26
URL: CVE-2021-38561
Base Score Metrics:
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GO-2021-0113
Release Date: 2021-08-12
Fix Resolution: v0.3.7
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, the Lua filter is vulnerable to denial of service. Attackers can send large request bodies for routes that have Lua filter enabled and trigger crashes. As of versions versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, Envoy no longer invokes the Lua coroutine if the filter has been reset. As a workaround for those whose Lua filter is buffering all requests/ responses, mitigate by using the buffer filter to avoid triggering the local reply in the Lua filter.
Publish Date: 2023-04-04
URL: CVE-2023-27492
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-wpc2-2jp6-ppg2
Release Date: 2023-04-04
Fix Resolution: v1.22.9,v1.23.6,v1.24.4,v1.25.3
Envoy is a high-performance edge/middle/service proxy. Envoy crashes in Proxy protocol when using an address type that isn’t supported by the OS. Envoy is susceptible to crashing on a host with IPv6 disabled and a listener config with proxy protocol enabled when it receives a request where the client presents its IPv6 address. It is valid for a client to present its IPv6 address to a target server even though the whole chain is connected via IPv4. This issue has been addressed in released 1.29.1, 1.28.1, 1.27.3, and 1.26.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2024-02-09
URL: CVE-2024-23325
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-5m7c-mrwr-pm26
Release Date: 2024-02-09
Fix Resolution: v1.26.7,v1.27.3,v1.28.1,v1.29.1
A built-package format for Python
Library home page: https://files.pythonhosted.org/packages/65/63/39d04c74222770ed1589c0eaba06c05891801219272420b40311cd60c880/wheel-0.36.2-py2.py3-none-any.whl
Path to dependency file: /tools/deprecate_features/requirements.txt
Path to vulnerable library: /tools/deprecate_features/requirements.txt,/test/extensions/filters/network/thrift_proxy/requirements.txt,/tools/base/requirements.txt,/ci/flaky_test/requirements.txt,/tools/docker/requirements.txt
Dependency Hierarchy:
Found in base branch: main
An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli.
Publish Date: 2022-12-23
URL: CVE-2022-40898
Base Score Metrics:
[mirror] Go supplementary network libraries
Library home page: https://proxy.golang.org/github.com/golang/net/@v/v0.0.0-20200301022130-244492dfa37a.zip
Path to dependency file: /examples/load-reporting-service/go.mod
Path to vulnerable library: /examples/load-reporting-service/go.mod
Dependency Hierarchy:
[mirror] Go supplementary network libraries
Library home page: https://proxy.golang.org/github.com/golang/net/@v/v0.0.0-20190403144856-b630fd6fe46b.zip
Path to dependency file: /examples/ext_authz/auth/grpc-service/go.mod
Path to vulnerable library: /examples/ext_authz/auth/grpc-service/go.mod
Dependency Hierarchy:
Found in base branch: main
net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.
Publish Date: 2022-01-01
URL: CVE-2021-44716
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-vc3p-29h2-gpcp
Release Date: 2022-01-01
Fix Resolution: github.com/golang/net - 491a49abca63de5e07ef554052d180a1b5fe2d70
[mirror] Go packages for low-level interaction with the operating system
Library home page: https://proxy.golang.org/github.com/golang/sys/@v/v0.0.0-20190502141530-050d97668623.zip
Path to dependency file: /examples/load-reporting-service/go.mod
Path to vulnerable library: /examples/load-reporting-service/go.mod
Dependency Hierarchy:
[mirror] Go packages for low-level interaction with the operating system
Library home page: https://proxy.golang.org/github.com/golang/sys/@v/v0.0.0-20190302025430-12036c158aa7.zip
Path to dependency file: /examples/ext_authz/auth/grpc-service/go.mod
Path to vulnerable library: /examples/ext_authz/auth/grpc-service/go.mod
Dependency Hierarchy:
Found in base branch: main
Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.
Publish Date: 2022-06-23
URL: CVE-2022-29526
Base Score Metrics:
Type: Upgrade version
Origin: https://security-tracker.debian.org/tracker/CVE-2022-29526
Release Date: 2022-06-23
Fix Resolution: go1.17.10,go1.18.2,go1.19
[mirror] Go text processing support
Library home page: https://proxy.golang.org/github.com/golang/text/@v/v0.3.0.zip
Path to dependency file: /examples/load-reporting-service/go.mod
Path to vulnerable library: /examples/load-reporting-service/go.mod,/examples/ext_authz/auth/grpc-service/go.mod
Dependency Hierarchy:
Found in HEAD commit: d853fd7abd23b213e8ecb1eded4fd77944aa8ed5
Found in base branch: main
The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
Publish Date: 2020-06-17
URL: CVE-2020-14040
Base Score Metrics:
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GO-2020-0015
Release Date: 2020-06-17
Fix Resolution: v0.3.3
[mirror] Go text processing support
Library home page: https://proxy.golang.org/github.com/golang/text/@v/v0.3.0.zip
Path to dependency file: /examples/load-reporting-service/go.mod
Path to vulnerable library: /examples/load-reporting-service/go.mod,/examples/ext_authz/auth/grpc-service/go.mod
Dependency Hierarchy:
Found in base branch: main
An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.
Publish Date: 2022-10-14
URL: CVE-2022-32149
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-32149
Release Date: 2022-10-14
Fix Resolution: v0.3.8
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/5f/64/43575537846896abac0b15c3e5ac678d787a4021e906703f1766bfb8ea11/urllib3-1.26.6-py2.py3-none-any.whl
Path to dependency file: /examples/grpc-bridge/client/requirements.txt
Path to vulnerable library: /examples/grpc-bridge/client/requirements.txt
Dependency Hierarchy:
Found in base branch: main
urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like POST
) to GET
as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with redirects=False
and disable automatic redirects with redirects=False
and handle 301, 302, and 303 redirects manually by stripping the HTTP request body.
Publish Date: 2023-10-17
URL: CVE-2023-45803
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-g4mx-q9vg-27p4
Release Date: 2023-10-17
Fix Resolution (urllib3): 1.26.18
Direct dependency fix Resolution (requests): 2.27.0
Fork of Envoy used for testing and tinkering as part of the Istio dev process
Library home page: https://github.com/istio/envoy.git
Found in base branch: main
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, gRPC access loggers using listener's global scope can cause a use-after-free
crash when the listener is drained. Versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12 have a fix for this issue. As a workaround, disable gRPC access log or stop listener update.
Publish Date: 2023-07-25
URL: CVE-2023-35942
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-69vr-g55c-v2v4
Release Date: 2023-07-25
Fix Resolution: v1.23.12,v1.24.10,v1.25.9
HTTP/2-based RPC framework
Library home page: https://files.pythonhosted.org/packages/21/e7/4b5f207ae6d583ee4fb074425e22876d44b58f85893f34d0b60ec6440825/grpcio-1.40.0-cp37-cp37m-manylinux2014_x86_64.whl
Path to dependency file: /examples/grpc-bridge/client/requirements.txt
Path to vulnerable library: /examples/grpc-bridge/client/requirements.txt
Dependency Hierarchy:
Found in base branch: main
When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in grpc/grpc#33005 grpc/grpc#33005
Publish Date: 2023-06-09
URL: CVE-2023-32731
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-cfgp-2977-2fmm
Release Date: 2023-06-09
Fix Resolution: grpc- 1.53.0;grpcio- 1.53.0;io.grpc:grpc-protobuf:1.53.0
Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 secompressors accumulate decompressed data into an intermediate buffer before overwriting the body in the decode/encodeBody. This may allow an attacker to zip bomb the decompressor by sending a small highly compressed payload. Maliciously constructed zip files may exhaust system memory and cause a denial of service. Users are advised to upgrade. Users unable to upgrade may consider disabling decompression.
Publish Date: 2022-06-09
URL: CVE-2022-29225
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-75hv-2jjj-89hh
Release Date: 2022-06-09
Fix Resolution: v1.19.5,v1.20.4,v1.21.3,v1.22.1
[mirror] Go text processing support
Library home page: https://proxy.golang.org/github.com/golang/text/@v/v0.3.0.zip
Path to dependency file: /examples/load-reporting-service/go.mod
Path to vulnerable library: /examples/load-reporting-service/go.mod,/examples/ext_authz/auth/grpc-service/go.mod
Dependency Hierarchy:
Found in base branch: main
golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.
Publish Date: 2022-12-26
URL: CVE-2021-38561
Base Score Metrics:
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GO-2021-0113
Release Date: 2021-08-12
Fix Resolution: v0.3.7
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/5f/64/43575537846896abac0b15c3e5ac678d787a4021e906703f1766bfb8ea11/urllib3-1.26.6-py2.py3-none-any.whl
Path to dependency file: /examples/grpc-bridge/client/requirements.txt
Path to vulnerable library: /examples/grpc-bridge/client/requirements.txt
Dependency Hierarchy:
Found in base branch: main
urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the Cookie
HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a Cookie
header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.
Publish Date: 2023-10-04
URL: CVE-2023-43804
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-43804
Release Date: 2023-10-04
Fix Resolution (urllib3): 1.26.17
Direct dependency fix Resolution (requests): 2.27.0
[mirror] Go supplementary network libraries
Library home page: https://proxy.golang.org/github.com/golang/net/@v/v0.0.0-20200301022130-244492dfa37a.zip
Path to dependency file: /examples/load-reporting-service/go.mod
Path to vulnerable library: /examples/load-reporting-service/go.mod
Dependency Hierarchy:
[mirror] Go supplementary network libraries
Library home page: https://proxy.golang.org/github.com/golang/net/@v/v0.0.0-20190403144856-b630fd6fe46b.zip
Path to dependency file: /examples/ext_authz/auth/grpc-service/go.mod
Path to vulnerable library: /examples/ext_authz/auth/grpc-service/go.mod
Dependency Hierarchy:
Found in HEAD commit: d853fd7abd23b213e8ecb1eded4fd77944aa8ed5
Found in base branch: main
net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.
Publish Date: 2021-05-27
URL: CVE-2021-31525
Base Score Metrics:
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1958341
Release Date: 2021-05-27
Fix Resolution: golang - v1.15.12,v1.16.4,v1.17.0
No project description provided
Path to dependency file: /examples/grpc-bridge/client/requirements.txt
Path to vulnerable library: /examples/grpc-bridge/client/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: d853fd7abd23b213e8ecb1eded4fd77944aa8ed5
Found in base branch: main
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.
Publish Date: 2022-09-22
URL: CVE-2022-1941
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-8gq9-2x98-w8hf
Release Date: 2022-09-22
Fix Resolution: 3.18.3
Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 the OAuth filter would try to invoke the remaining filters in the chain after emitting a local response, which triggers an ASSERT() in newer versions and corrupts memory on earlier versions. continueDecoding() shouldn’t ever be called from filters after a local reply has been sent. Users are advised to upgrade. There are no known workarounds for this issue.
Publish Date: 2022-06-09
URL: CVE-2022-29228
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-rww6-8h7g-8jf6
Release Date: 2022-06-09
Fix Resolution: v1.21.3,v1.22.1
The Go language implementation of gRPC. HTTP/2 based RPC
Library home page: https://proxy.golang.org/github.com/grpc/grpc-go/@v/v1.25.1.zip
Path to dependency file: /examples/ext_authz/auth/grpc-service/go.mod
Path to vulnerable library: /examples/ext_authz/auth/grpc-service/go.mod,/examples/load-reporting-service/go.mod
Dependency Hierarchy:
Found in HEAD commit: d853fd7abd23b213e8ecb1eded4fd77944aa8ed5
Found in base branch: main
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Publish Date: 2023-10-10
URL: CVE-2023-44487
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-44487
Release Date: 2023-10-10
Fix Resolution: org.eclipse.jetty.http2:http2-server:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-server:12.0.2, org.eclipse.jetty.http2:http2-common:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-common:12.0.2, nghttp - v1.57.0, swift-nio-http2 - 1.28.0, io.netty:netty-codec-http2:4.1.100.Final, trafficserver - 9.2.3, org.apache.tomcat:tomcat-coyote:8.5.94,9.0.81,10.1.14, org.apache.tomcat.embed:tomcat-embed-core:8.5.94,9.0.81,10.1.14, Microsoft.AspNetCore.App - 6.0.23,7.0.12, contour - v1.26.1, proxygen - v2023.10.16.00, grpc-go - v1.56.3,v1.57.1,v1.58.3, kubernetes/kubernetes - v1.25.15,v1.26.10,v1.27.7,v1.28.3,v1.29.0, kubernetes/apimachinery - v0.25.15,v0.26.10,v0.27.7,v0.28.3,v0.29.0
Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 secompressors accumulate decompressed data into an intermediate buffer before overwriting the body in the decode/encodeBody. This may allow an attacker to zip bomb the decompressor by sending a small highly compressed payload. Maliciously constructed zip files may exhaust system memory and cause a denial of service. Users are advised to upgrade. Users unable to upgrade may consider disabling decompression.
Publish Date: 2022-06-09
URL: CVE-2022-29225
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-75hv-2jjj-89hh
Release Date: 2022-06-09
Fix Resolution: v1.19.5,v1.20.4,v1.21.3,v1.22.1
A built-package format for Python
Library home page: https://files.pythonhosted.org/packages/65/63/39d04c74222770ed1589c0eaba06c05891801219272420b40311cd60c880/wheel-0.36.2-py2.py3-none-any.whl
Path to dependency file: /tools/deprecate_features/requirements.txt
Path to vulnerable library: /tools/deprecate_features/requirements.txt,/test/extensions/filters/network/thrift_proxy/requirements.txt,/tools/base/requirements.txt,/ci/flaky_test/requirements.txt,/tools/docker/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: d853fd7abd23b213e8ecb1eded4fd77944aa8ed5
Found in base branch: main
An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli.
Publish Date: 2022-12-23
URL: CVE-2022-40898
Base Score Metrics:
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, the CORS filter will segfault and crash Envoy when the origin
header is removed and deleted between decodeHeaders
and encodeHeaders
. Versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12 have a fix for this issue. As a workaround, do not remove the origin
header in the Envoy configuration.
Publish Date: 2023-07-25
URL: CVE-2023-35943
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-mc6h-6j9x-v3gq
Release Date: 2023-07-25
Fix Resolution: v1.23.12,v1.24.10,v1.25.9
Python package for providing Mozilla's CA Bundle.
Library home page: https://files.pythonhosted.org/packages/05/1b/0a0dece0e8aa492a6ec9e4ad2fe366b511558cdc73fd3abc82ba7348e875/certifi-2021.5.30-py2.py3-none-any.whl
Path to dependency file: /examples/grpc-bridge/client/requirements.txt
Path to vulnerable library: /examples/grpc-bridge/client/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: d853fd7abd23b213e8ecb1eded4fd77944aa8ed5
Found in base branch: main
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.
Publish Date: 2022-12-07
URL: CVE-2022-23491
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-23491
Release Date: 2022-12-07
Fix Resolution (certifi): 2022.12.7
Direct dependency fix Resolution (requests): 2.27.0
[mirror] Go supplementary network libraries
Library home page: https://proxy.golang.org/github.com/golang/net/@v/v0.0.0-20200301022130-244492dfa37a.zip
Dependency Hierarchy:
Found in HEAD commit: d853fd7abd23b213e8ecb1eded4fd77944aa8ed5
Found in base branch: main
encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.
Publish Date: 2021-03-11
URL: CVE-2021-27918
Base Score Metrics:
Type: Upgrade version
Origin: https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw
Release Date: 2021-03-11
Fix Resolution: 1.15.9, 1.16.1
Envoy is an open source edge and service proxy designed for cloud-native applications. Compliant HTTP/1 service should reject malformed request lines. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, There is a possibility that non compliant HTTP/1 service may allow malformed requests, potentially leading to a bypass of security policies. This issue is fixed in versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9.
Publish Date: 2023-04-04
URL: CVE-2023-27491
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-5jmv-cw9p-f9rp
Release Date: 2023-04-04
Fix Resolution: v1.22.9,v1.23.6,v1.24.4,v1.25.3
protoc plugin to generate polyglot message validators
Library home page: https://proxy.golang.org/github.com/envoyproxy/protoc-gen-validate/@v/v0.1.0.zip
Dependency Hierarchy:
Found in HEAD commit: d853fd7abd23b213e8ecb1eded4fd77944aa8ed5
Found in base branch: main
The html package (aka x/net/html) through 2018-09-25 in Go mishandles
Publish Date: 2018-10-01
URL: CVE-2018-17846
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-17846
Release Date: 2018-10-01
Fix Resolution: golang-golang-x-net-dev - 1:0.0+git20181201.351d144+dfsg-3
Python HTTP for Humans.
Library home page: https://files.pythonhosted.org/packages/92/96/144f70b972a9c0eabbd4391ef93ccd49d0f2747f4f6a2a2738e99e5adc65/requests-2.26.0-py2.py3-none-any.whl
Path to dependency file: /examples/grpc-bridge/client/requirements.txt
Path to vulnerable library: /examples/grpc-bridge/client/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: d853fd7abd23b213e8ecb1eded4fd77944aa8ed5
Found in base branch: main
Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use rebuild_proxies
to reattach the Proxy-Authorization
header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the Proxy-Authorization
header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.
Publish Date: 2023-05-26
URL: CVE-2023-32681
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-j8r2-6x86-q33q
Release Date: 2023-05-26
Fix Resolution: requests -2.31.0
Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 the OAuth filter implementation does not include a mechanism for validating access tokens, so by design when the HMAC signed cookie is missing a full authentication flow should be triggered. However, the current implementation assumes that access tokens are always validated thus allowing access in the presence of any access token attached to the request. Users are advised to upgrade. There is no known workaround for this issue.
Publish Date: 2022-06-09
URL: CVE-2022-29226
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-h45c-2f94-prxh
Release Date: 2022-06-09
Fix Resolution: v1.21.3,v1.22.1
Fork of Envoy used for testing and tinkering as part of the Istio dev process
Library home page: https://github.com/istio/envoy.git
Found in base branch: main
Envoy is a high-performance edge/middle/service proxy. When PPv2 is enabled both on a listener and subsequent cluster, the Envoy instance will segfault when attempting to craft the upstream PPv2 header. This occurs when the downstream request has a command type of LOCAL and does not have the protocol block. This issue has been addressed in releases 1.29.1, 1.28.1, 1.27.3, and 1.26.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2024-02-09
URL: CVE-2024-23327
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-23327
Release Date: 2024-02-09
Fix Resolution: v1.26.7,v1.27.3,v1.28.1,v1.29.1
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, escalation of privileges is possible when failure_mode_allow: true
is configured for ext_authz
filter. For affected components that are used for logging and/or visibility, requests may not be logged by the receiving service. When Envoy was configured to use ext_authz, ext_proc, tap, ratelimit filters, and grpc access log service and an http header with non-UTF-8 data was received, Envoy would generate an invalid protobuf message and send it to the configured service. The receiving service would typically generate an error when decoding the protobuf message. For ext_authz that was configured with failure_mode_allow: true
, the request would have been allowed in this case. For the other services, this could have resulted in other unforeseen errors such as a lack of visibility into requests. As of versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, Envoy by default sanitizes the values sent in gRPC service calls to be valid UTF-8, replacing data that is not valid UTF-8 with a !
character. This behavioral change can be temporarily reverted by setting runtime guard envoy.reloadable_features.service_sanitize_non_utf8_strings
to false. As a workaround, one may set failure_mode_allow: false
for ext_authz
.
Publish Date: 2023-04-04
URL: CVE-2023-27488
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-9g5w-hqr3-w2ph
Release Date: 2023-04-04
Fix Resolution: v1.22.9,v1.23.6,v1.24.4,v1.25.3
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.