Istio

Istio

24 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
8.8

CVE-2021-34824

  • EPSS 0.88%
  • Veröffentlicht 29.06.2021 14:15:08
  • Zuletzt bearbeitet 21.11.2024 06:11:16

Istio (1.8.x, 1.9.0-1.9.5 and 1.10.0-1.10.1) contains a remotely exploitable vulnerability where credentials specified in the Gateway and DestinationRule credentialName field can be accessed from different namespaces.

9.8

CVE-2021-31921

Exploit
  • EPSS 0.21%
  • Veröffentlicht 02.06.2021 16:15:08
  • Zuletzt bearbeitet 21.11.2024 06:06:30

Istio before 1.8.6 and 1.9.x before 1.9.5 contains a remotely exploitable vulnerability where an external client can access unexpected services in the cluster, bypassing authorization checks, when a gateway is configured with AUTO_PASSTHROUGH routing...

6.5

CVE-2021-31920

Exploit
  • EPSS 0.24%
  • Veröffentlicht 27.05.2021 05:15:06
  • Zuletzt bearbeitet 21.11.2024 06:06:30

Istio before 1.8.6 and 1.9.x before 1.9.5 has a remotely exploitable vulnerability where an HTTP request path with multiple slashes or escaped slash characters (%2F or %5C) could potentially bypass an Istio authorization policy when path based author...

6.5

CVE-2019-25014

  • EPSS 0.21%
  • Veröffentlicht 29.01.2021 06:15:12
  • Zuletzt bearbeitet 21.11.2024 04:39:44

A NULL pointer dereference was found in pkg/proxy/envoy/v2/debug.go getResourceVersion in Istio pilot before 1.5.0-alpha.0. If a particular HTTP GET request is made to the pilot API endpoint, it is possible to cause the Go runtime to panic (resulting...

6.8

CVE-2020-16844

Exploit
  • EPSS 0.28%
  • Veröffentlicht 01.10.2020 17:15:13
  • Zuletzt bearbeitet 21.11.2024 05:07:15

In Istio 1.5.0 though 1.5.8 and Istio 1.6.0 through 1.6.7, when users specify an AuthorizationPolicy resource with DENY actions using wildcard suffixes (e.g. *-some-suffix) for source principals or namespace fields, callers will never be denied acces...

7.5

CVE-2020-10739

  • EPSS 0.62%
  • Veröffentlicht 02.06.2020 13:15:10
  • Zuletzt bearbeitet 21.11.2024 04:55:58

Istio 1.4.x before 1.4.9 and Istio 1.5.x before 1.5.4 contain the following vulnerability when telemetry v2 is enabled: by sending a specially crafted packet, an attacker could trigger a Null Pointer Exception resulting in a Denial of Service. This c...

3.1

CVE-2020-11767

Exploit
  • EPSS 0.09%
  • Veröffentlicht 15.04.2020 02:15:14
  • Zuletzt bearbeitet 21.11.2024 04:58:34

Istio through 1.5.1 and Envoy through 1.14.1 have a data-leak issue. If there is a TCP connection (negotiated with SNI over HTTPS) to *.example.com, a request for a domain concurrently configured explicitly (e.g., abc.example.com) is sent to the serv...

7.4

CVE-2020-8843

  • EPSS 0.21%
  • Veröffentlicht 14.02.2020 19:15:10
  • Zuletzt bearbeitet 21.11.2024 05:39:33

An issue was discovered in Istio 1.3 through 1.3.6. Under certain circumstances, it is possible to bypass a specifically configured Mixer policy. Istio-proxy accepts the x-istio-attributes header at ingress that can be used to affect policy decisions...

7.5

CVE-2020-8595

  • EPSS 0.84%
  • Veröffentlicht 12.02.2020 15:15:14
  • Zuletzt bearbeitet 21.11.2024 05:39:05

Istio versions 1.2.10 (End of Life) and prior, 1.3 through 1.3.7, and 1.4 through 1.4.3 allows authentication bypass. The Authentication Policy exact-path matching logic can allow unauthorized access to HTTP paths even if they are configured to be on...

7.5

CVE-2019-18817

Exploit
  • EPSS 0.54%
  • Veröffentlicht 12.11.2019 14:15:11
  • Zuletzt bearbeitet 21.11.2024 04:33:37

Istio 1.3.x before 1.3.5 allows Denial of Service because continue_on_listener_filters_timeout is set to True, a related issue to CVE-2019-18836.