Bitnami package
contour
pkg:bitnami/contour
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-41246 | Hig | 8.1 | >= 1.19.0, < 1.31.6 | 1.31.6 | Apr 23, 2026 | Contour is a Kubernetes ingress controller using Envoy proxy. From v1.19.0 to before v1.33.4, v1.32.5, and v1.31.6, Contour's Cookie Rewriting feature is vulnerable to Lua code injection. An attacker with RBAC permissions to create or modify HTTPProxy resources can craft a malici | |
| CVE-2024-36539 | — | >= 1.28.3, < 1.28.4 | 1.28.4 | Jul 24, 2024 | Insecure permissions in contour v1.28.3 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token. | ||
| CVE-2023-44487 | Hig | 7.5 | KEV | < 1.24.6 | 1.24.6 | Oct 10, 2023 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. |
| CVE-2021-32783 | — | < 1.17.1 | 1.17.1 | Jul 23, 2021 | Contour is a Kubernetes ingress controller using Envoy proxy. In Contour before version 1.17.1 a specially crafted ExternalName type Service may be used to access Envoy's admin interface, which Contour normally prevents from access outside the Envoy container. This can be used to | ||
| CVE-2020-15127 | — | < 1.7.0 | 1.7.0 | Aug 5, 2020 | In Contour ( Ingress controller for Kubernetes) before version 1.7.0, a bad actor can shut down all instances of Envoy, essentially killing the entire ingress data plane. GET requests to /shutdown on port 8090 of the Envoy pod initiate Envoy's shutdown procedure. The shutdown pro |
- affected >= 1.19.0, < 1.31.6fixed 1.31.6
Contour is a Kubernetes ingress controller using Envoy proxy. From v1.19.0 to before v1.33.4, v1.32.5, and v1.31.6, Contour's Cookie Rewriting feature is vulnerable to Lua code injection. An attacker with RBAC permissions to create or modify HTTPProxy resources can craft a malici
- CVE-2024-36539Jul 24, 2024affected >= 1.28.3, < 1.28.4fixed 1.28.4
Insecure permissions in contour v1.28.3 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token.
- affected < 1.24.6fixed 1.24.6
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
- CVE-2021-32783Jul 23, 2021affected < 1.17.1fixed 1.17.1
Contour is a Kubernetes ingress controller using Envoy proxy. In Contour before version 1.17.1 a specially crafted ExternalName type Service may be used to access Envoy's admin interface, which Contour normally prevents from access outside the Envoy container. This can be used to
- CVE-2020-15127Aug 5, 2020affected < 1.7.0fixed 1.7.0
In Contour ( Ingress controller for Kubernetes) before version 1.7.0, a bad actor can shut down all instances of Envoy, essentially killing the entire ingress data plane. GET requests to /shutdown on port 8090 of the Envoy pod initiate Envoy's shutdown procedure. The shutdown pro