Filtered by vendor Redhat
Subscriptions
Filtered by product Service Mesh
Subscriptions
Total
182 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-9283 | 3 Debian, Golang, Redhat | 7 Debian Linux, Package Ssh, 3scale Amp and 4 more | 2024-11-21 | 7.5 High |
| golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client. | ||||
| CVE-2020-8664 | 2 Cncf, Redhat | 2 Envoy, Service Mesh | 2024-11-21 | 5.3 Medium |
| CNCF Envoy through 1.13.0 has incorrect Access Control when using SDS with Combined Validation Context. Using the same secret (e.g. trusted CA) across many resources together with the combined validation context could lead to the “static” part of the validation context to be not applied, even though it was visible in the active config dump. | ||||
| CVE-2020-8663 | 2 Envoyproxy, Redhat | 2 Envoy, Service Mesh | 2024-11-21 | 7.5 High |
| Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier may exhaust file descriptors and/or memory when accepting too many connections. | ||||
| CVE-2020-8661 | 2 Cncf, Redhat | 3 Envoy, Openshift Service Mesh, Service Mesh | 2024-11-21 | 7.5 High |
| CNCF Envoy through 1.13.0 may consume excessive amounts of memory when responding internally to pipelined requests. | ||||
| CVE-2020-8660 | 2 Envoyproxy, Redhat | 2 Envoy, Service Mesh | 2024-11-21 | 5.3 Medium |
| CNCF Envoy through 1.13.0 TLS inspector bypass. TLS inspector could have been bypassed (not recognized as a TLS client) by a client using only TLS 1.3. Because TLS extensions (SNI, ALPN) were not inspected, those connections might have been matched to a wrong filter chain, possibly bypassing some security restrictions in the process. | ||||
| CVE-2020-8659 | 3 Cncf, Debian, Redhat | 4 Envoy, Debian Linux, Openshift Service Mesh and 1 more | 2024-11-21 | 7.5 High |
| CNCF Envoy through 1.13.0 may consume excessive amounts of memory when proxying HTTP/1.1 requests or responses with many small (i.e. 1 byte) chunks. | ||||
| CVE-2020-8595 | 2 Istio, Redhat | 4 Istio, Enterprise Linux, Openshift Service Mesh and 1 more | 2024-11-21 | 7.3 High |
| Istio versions 1.2.10 (End of Life) and prior, 1.3 through 1.3.7, and 1.4 through 1.4.3 allows authentication bypass. The Authentication Policy exact-path matching logic can allow unauthorized access to HTTP paths even if they are configured to be only accessed after presenting a valid JWT token. For example, an attacker can add a ? or # character to a URI that would otherwise satisfy an exact-path match. | ||||
| CVE-2020-8203 | 3 Lodash, Oracle, Redhat | 24 Lodash, Banking Corporate Lending Process Management, Banking Credit Facilities Process Management and 21 more | 2024-11-21 | 7.4 High |
| Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20. | ||||
| CVE-2020-8124 | 2 Redhat, Url-parse Project | 2 Service Mesh, Url-parse | 2024-11-21 | 5.3 Medium |
| Insufficient validation and sanitization of user input exists in url-parse npm package version 1.4.4 and earlier may allow attacker to bypass security checks. | ||||
| CVE-2020-7662 | 2 Redhat, Websocket-extensions Project | 3 Openshift, Service Mesh, Websocket-extensions | 2024-11-21 | 7.5 High |
| websocket-extensions npm module prior to 0.1.4 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header. | ||||
| CVE-2020-7660 | 2 Redhat, Verizon | 2 Service Mesh, Serialize-javascript | 2024-11-21 | 8.1 High |
| serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js". | ||||
| CVE-2020-7598 | 3 Opensuse, Redhat, Substack | 9 Leap, Enterprise Linux, Openshift and 6 more | 2024-11-21 | 5.6 Medium |
| minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload. | ||||
| CVE-2020-28852 | 2 Golang, Redhat | 5 Text, Acm, Enterprise Linux and 2 more | 2024-11-21 | 7.5 High |
| In x/text in Go before v0.3.5, a "slice bounds out of range" panic occurs in language.ParseAcceptLanguage while processing a BCP 47 tag. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.) | ||||
| CVE-2020-28851 | 2 Golang, Redhat | 5 Go, Acm, Enterprise Linux and 2 more | 2024-11-21 | 7.5 High |
| In x/text in Go 1.15.4, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.) | ||||
| CVE-2020-28362 | 4 Fedoraproject, Golang, Netapp and 1 more | 12 Fedora, Go, Cloud Insights Telegraf Agent and 9 more | 2024-11-21 | 7.5 High |
| Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service. | ||||
| CVE-2020-25017 | 2 Envoyproxy, Redhat | 2 Envoy, Service Mesh | 2024-11-21 | 8.3 High |
| Envoy through 1.15.0 only considers the first value when multiple header values are present for some HTTP headers. Envoy’s setCopy() header map API does not replace all existing occurences of a non-inline header. | ||||
| CVE-2020-1764 | 2 Kiali, Redhat | 3 Kiali, Openshift Service Mesh, Service Mesh | 2024-11-21 | 8.6 High |
| A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions prior to 1.15.1. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio configuration. | ||||
| CVE-2020-1762 | 2 Kiali, Redhat | 3 Kiali, Openshift Service Mesh, Service Mesh | 2024-11-21 | 7 High |
| An insufficient JWT validation vulnerability was found in Kiali versions 0.4.0 to 1.15.0 and was fixed in Kiali version 1.15.1, wherein a remote attacker could abuse this flaw by stealing a valid JWT cookie and using that to spoof a user session, possibly gaining privileges to view and alter the Istio configuration. | ||||
| CVE-2020-1704 | 1 Redhat | 2 Openshift Service Mesh, Service Mesh | 2024-11-21 | 7 High |
| An insecure modification vulnerability in the /etc/passwd file was found in all versions of OpenShift ServiceMesh (maistra) before 1.0.8 in the openshift/istio-kialia-rhel7-operator-container. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges. | ||||
| CVE-2020-16845 | 5 Debian, Fedoraproject, Golang and 2 more | 13 Debian Linux, Fedora, Go and 10 more | 2024-11-21 | 7.5 High |
| Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs. | ||||