Filtered by vendor Redhat
Subscriptions
Filtered by product Service Mesh
Subscriptions
Total
186 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-29482 | 2 Redhat, Xz Project | 6 Acm, Container Native Virtualization, Openshift Api Data Protection and 3 more | 2024-11-21 | 7.5 High |
| xz is a compression and decompression library focusing on the xz format completely written in Go. The function readUvarint used to read the xz container format may not terminate a loop provide malicous input. The problem has been fixed in release v0.5.8. As a workaround users can limit the size of the compressed file input to a reasonable size for their use case. The standard library had recently the same issue and got the CVE-2020-16845 allocated. | ||||
| CVE-2021-29258 | 2 Envoyproxy, Redhat | 2 Envoy, Service Mesh | 2024-11-21 | 7.5 High |
| An issue was discovered in Envoy 1.14.0. There is a remotely exploitable crash for HTTP2 Metadata, because an empty METADATA map triggers a Reachable Assertion. | ||||
| CVE-2021-28683 | 2 Envoyproxy, Redhat | 2 Envoy, Service Mesh | 2024-11-21 | 7.5 High |
| An issue was discovered in Envoy through 1.71.1. There is a remotely exploitable NULL pointer dereference and crash in TLS when an unknown TLS alert code is received. | ||||
| CVE-2021-28682 | 2 Envoyproxy, Redhat | 2 Envoy, Service Mesh | 2024-11-21 | 7.5 High |
| An issue was discovered in Envoy through 1.71.1. There is a remotely exploitable integer overflow in which a very large grpc-timeout value leads to unexpected timeout calculations. | ||||
| CVE-2021-20329 | 2 Mongodb, Redhat | 4 Go Driver, Container Native Virtualization, Openshift and 1 more | 2024-11-21 | 6.8 Medium |
| Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshalling Go objects into BSON. A malicious user could use a Go object with specific string to potentially inject additional fields into marshalled documents. This issue affects all MongoDB GO Drivers prior to and including 1.5.0. | ||||
| CVE-2020-9283 | 3 Debian, Golang, Redhat | 7 Debian Linux, Package Ssh, 3scale Amp and 4 more | 2024-11-21 | 7.5 High |
| golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client. | ||||
| CVE-2020-8664 | 2 Cncf, Redhat | 2 Envoy, Service Mesh | 2024-11-21 | 5.3 Medium |
| CNCF Envoy through 1.13.0 has incorrect Access Control when using SDS with Combined Validation Context. Using the same secret (e.g. trusted CA) across many resources together with the combined validation context could lead to the “static” part of the validation context to be not applied, even though it was visible in the active config dump. | ||||
| CVE-2020-8663 | 2 Envoyproxy, Redhat | 2 Envoy, Service Mesh | 2024-11-21 | 7.5 High |
| Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier may exhaust file descriptors and/or memory when accepting too many connections. | ||||
| CVE-2020-8661 | 2 Cncf, Redhat | 3 Envoy, Openshift Service Mesh, Service Mesh | 2024-11-21 | 7.5 High |
| CNCF Envoy through 1.13.0 may consume excessive amounts of memory when responding internally to pipelined requests. | ||||
| CVE-2020-8660 | 2 Envoyproxy, Redhat | 2 Envoy, Service Mesh | 2024-11-21 | 5.3 Medium |
| CNCF Envoy through 1.13.0 TLS inspector bypass. TLS inspector could have been bypassed (not recognized as a TLS client) by a client using only TLS 1.3. Because TLS extensions (SNI, ALPN) were not inspected, those connections might have been matched to a wrong filter chain, possibly bypassing some security restrictions in the process. | ||||
| CVE-2020-8659 | 3 Cncf, Debian, Redhat | 4 Envoy, Debian Linux, Openshift Service Mesh and 1 more | 2024-11-21 | 7.5 High |
| CNCF Envoy through 1.13.0 may consume excessive amounts of memory when proxying HTTP/1.1 requests or responses with many small (i.e. 1 byte) chunks. | ||||
| CVE-2020-8595 | 2 Istio, Redhat | 4 Istio, Enterprise Linux, Openshift Service Mesh and 1 more | 2024-11-21 | 7.3 High |
| Istio versions 1.2.10 (End of Life) and prior, 1.3 through 1.3.7, and 1.4 through 1.4.3 allows authentication bypass. The Authentication Policy exact-path matching logic can allow unauthorized access to HTTP paths even if they are configured to be only accessed after presenting a valid JWT token. For example, an attacker can add a ? or # character to a URI that would otherwise satisfy an exact-path match. | ||||
| CVE-2020-8203 | 3 Lodash, Oracle, Redhat | 24 Lodash, Banking Corporate Lending Process Management, Banking Credit Facilities Process Management and 21 more | 2024-11-21 | 7.4 High |
| Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20. | ||||
| CVE-2020-8124 | 2 Redhat, Url-parse Project | 2 Service Mesh, Url-parse | 2024-11-21 | 5.3 Medium |
| Insufficient validation and sanitization of user input exists in url-parse npm package version 1.4.4 and earlier may allow attacker to bypass security checks. | ||||
| CVE-2020-7662 | 2 Redhat, Websocket-extensions Project | 3 Openshift, Service Mesh, Websocket-extensions | 2024-11-21 | 7.5 High |
| websocket-extensions npm module prior to 0.1.4 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header. | ||||
| CVE-2020-7660 | 2 Redhat, Verizon | 2 Service Mesh, Serialize-javascript | 2024-11-21 | 8.1 High |
| serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js". | ||||
| CVE-2020-7598 | 3 Opensuse, Redhat, Substack | 9 Leap, Enterprise Linux, Openshift and 6 more | 2024-11-21 | 5.6 Medium |
| minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload. | ||||
| CVE-2020-28852 | 2 Golang, Redhat | 5 Text, Acm, Enterprise Linux and 2 more | 2024-11-21 | 7.5 High |
| In x/text in Go before v0.3.5, a "slice bounds out of range" panic occurs in language.ParseAcceptLanguage while processing a BCP 47 tag. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.) | ||||
| CVE-2020-28851 | 2 Golang, Redhat | 5 Go, Acm, Enterprise Linux and 2 more | 2024-11-21 | 7.5 High |
| In x/text in Go 1.15.4, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.) | ||||
| CVE-2020-28362 | 4 Fedoraproject, Golang, Netapp and 1 more | 12 Fedora, Go, Cloud Insights Telegraf Agent and 9 more | 2024-11-21 | 7.5 High |
| Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service. | ||||