Bitnami package
envoy
pkg:bitnami/envoy
Vulnerabilities (90)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-43825 | — | < 1.18.6 | 1.18.6 | Feb 22, 2022 | Envoy is an open source edge and service proxy, designed for cloud-native applications. Sending a locally generated response must stop further processing of request or response data. Envoy tracks the amount of buffered request and response data and aborts the request if the amoun | ||
| CVE-2022-21655 | — | < 1.18.6 | 1.18.6 | Feb 22, 2022 | Envoy is an open source edge and service proxy, designed for cloud-native applications. The envoy common router will segfault if an internal redirect selects a route configured with direct response or redirect actions. This will result in a denial of service. As a workaround turn | ||
| CVE-2022-21654 | — | >= 1.7.0, < 1.18.6 | 1.18.6 | Feb 22, 2022 | Envoy is an open source edge and service proxy, designed for cloud-native applications. Envoy's tls allows re-use when some cert validation settings have changed from their default configuration. The only workaround for this issue is to ensure that default tls settings are used. | ||
| CVE-2022-21657 | — | < 1.18.6 | 1.18.6 | Feb 22, 2022 | Envoy is an open source edge and service proxy, designed for cloud-native applications. In affected versions Envoy does not restrict the set of certificates it accepts from the peer, either as a TLS client or a TLS server, to only those certificates that contain the necessary ext | ||
| CVE-2022-21656 | — | < 1.20.2 | 1.20.2 | Feb 22, 2022 | Envoy is an open source edge and service proxy, designed for cloud-native applications. The default_validator.cc implementation used to implement the default certificate validation routines has a "type confusion" bug when processing subjectAltNames. This processing allows, for ex | ||
| CVE-2022-23606 | — | >= 1.20.0, < 1.20.2 | 1.20.2 | Feb 22, 2022 | Envoy is an open source edge and service proxy, designed for cloud-native applications. When a cluster is deleted via Cluster Discovery Service (CDS) all idle connections established to endpoints in that cluster are disconnected. A recursion was introduced in the procedure of dis | ||
| CVE-2021-43824 | — | < 1.18.6 | 1.18.6 | Feb 22, 2022 | Envoy is an open source edge and service proxy, designed for cloud-native applications. In affected versions a crafted request crashes Envoy when a CONNECT request is sent to JWT filter configured with regex match. This provides a denial of service attack vector. The only workaro | ||
| CVE-2021-39206 | — | < 1.16.5 | 1.16.5 | Sep 9, 2021 | Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, contains two authorization related vulnerabilities CVE-2021-32777 and CVE-2021-32779. This may lead to incorrect routing or authorization policy decisions. With specially crafted requests, | ||
| CVE-2021-39204 | — | < 1.16.5 | 1.16.5 | Sep 9, 2021 | Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, incorrectly handles resetting of HTTP/2 streams with excessive complexity. This can lead to high CPU utilization when a large number of streams are reset. This can result in a DoS condition | ||
| CVE-2021-39162 | — | < 1.18.4 | 1.18.4 | Sep 9, 2021 | Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, can abnormally terminate if an H/2 GOAWAY and SETTINGS frame are received in the same IO event. This can lead to a DoS in the presence of untrusted *upstream* servers. 0.15.1 contains an up | ||
| CVE-2021-32780 | — | >= 1.18.0, < 1.18.4 | 1.18.4 | Aug 24, 2021 | Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions Envoy transitions a H/2 connection to the CLOSED state when it receives a GOAWAY frame without any streams outstanding. The connection state is tr | ||
| CVE-2021-32781 | — | >= 1.16.0, < 1.16.5 | 1.16.5 | Aug 24, 2021 | Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions after Envoy sends a locally generated response it must stop further processing of request or response data. However when local response is generat | ||
| CVE-2021-32779 | — | >= 1.16.0, < 1.16.5 | 1.16.5 | Aug 24, 2021 | Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions envoy incorrectly handled a URI '#fragment' element as part of the path element. Envoy is configured with an RBAC filter for authorization or simi | ||
| CVE-2021-32778 | — | >= 1.16.0, < 1.16.5 | 1.16.5 | Aug 24, 2021 | Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions envoy’s procedure for resetting a HTTP/2 stream has O(N^2) complexity, leading to high CPU utilization when a large number of streams are reset. D | ||
| CVE-2021-32777 | — | >= 1.16.0, < 1.16.5 | 1.16.5 | Aug 24, 2021 | Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions when ext-authz extension is sending request headers to the external authorization service it must merge multiple value headers according to the HT | ||
| CVE-2021-29492 | — | < 1.15.5 | 1.15.5 | May 28, 2021 | Envoy is a cloud-native edge/middle/service proxy. Envoy does not decode escaped slash sequences `%2F` and `%5C` in HTTP URL paths in versions 1.18.2 and before. A remote attacker may craft a path with escaped slashes, e.g. `/something%2F..%2Fadmin`, to bypass access control, e.g | ||
| CVE-2021-29258 | — | >= 1.14.6, < 1.14.7 | 1.14.7 | May 20, 2021 | An issue was discovered in Envoy 1.14.0. There is a remotely exploitable crash for HTTP2 Metadata, because an empty METADATA map triggers a Reachable Assertion. | ||
| CVE-2021-28683 | — | >= 1.16.2, < 1.16.3 | 1.16.3 | May 20, 2021 | An issue was discovered in Envoy through 1.71.1. There is a remotely exploitable NULL pointer dereference and crash in TLS when an unknown TLS alert code is received. | ||
| CVE-2021-28682 | — | >= 1.14.6, < 1.14.7 | 1.14.7 | May 20, 2021 | An issue was discovered in Envoy through 1.71.1. There is a remotely exploitable integer overflow in which a very large grpc-timeout value leads to unexpected timeout calculations. | ||
| CVE-2021-21378 | — | >= 1.17.0, < 1.17.1 | 1.17.1 | Mar 11, 2021 | Envoy is a cloud-native high-performance edge/middle/service proxy. In Envoy version 1.17.0 an attacker can bypass authentication by presenting a JWT token with an issuer that is not in the provider list when Envoy's JWT Authentication filter is configured with the `allow_missing |
- CVE-2021-43825Feb 22, 2022affected < 1.18.6fixed 1.18.6
Envoy is an open source edge and service proxy, designed for cloud-native applications. Sending a locally generated response must stop further processing of request or response data. Envoy tracks the amount of buffered request and response data and aborts the request if the amoun
- CVE-2022-21655Feb 22, 2022affected < 1.18.6fixed 1.18.6
Envoy is an open source edge and service proxy, designed for cloud-native applications. The envoy common router will segfault if an internal redirect selects a route configured with direct response or redirect actions. This will result in a denial of service. As a workaround turn
- CVE-2022-21654Feb 22, 2022affected >= 1.7.0, < 1.18.6fixed 1.18.6
Envoy is an open source edge and service proxy, designed for cloud-native applications. Envoy's tls allows re-use when some cert validation settings have changed from their default configuration. The only workaround for this issue is to ensure that default tls settings are used.
- CVE-2022-21657Feb 22, 2022affected < 1.18.6fixed 1.18.6
Envoy is an open source edge and service proxy, designed for cloud-native applications. In affected versions Envoy does not restrict the set of certificates it accepts from the peer, either as a TLS client or a TLS server, to only those certificates that contain the necessary ext
- CVE-2022-21656Feb 22, 2022affected < 1.20.2fixed 1.20.2
Envoy is an open source edge and service proxy, designed for cloud-native applications. The default_validator.cc implementation used to implement the default certificate validation routines has a "type confusion" bug when processing subjectAltNames. This processing allows, for ex
- CVE-2022-23606Feb 22, 2022affected >= 1.20.0, < 1.20.2fixed 1.20.2
Envoy is an open source edge and service proxy, designed for cloud-native applications. When a cluster is deleted via Cluster Discovery Service (CDS) all idle connections established to endpoints in that cluster are disconnected. A recursion was introduced in the procedure of dis
- CVE-2021-43824Feb 22, 2022affected < 1.18.6fixed 1.18.6
Envoy is an open source edge and service proxy, designed for cloud-native applications. In affected versions a crafted request crashes Envoy when a CONNECT request is sent to JWT filter configured with regex match. This provides a denial of service attack vector. The only workaro
- CVE-2021-39206Sep 9, 2021affected < 1.16.5fixed 1.16.5
Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, contains two authorization related vulnerabilities CVE-2021-32777 and CVE-2021-32779. This may lead to incorrect routing or authorization policy decisions. With specially crafted requests,
- CVE-2021-39204Sep 9, 2021affected < 1.16.5fixed 1.16.5
Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, incorrectly handles resetting of HTTP/2 streams with excessive complexity. This can lead to high CPU utilization when a large number of streams are reset. This can result in a DoS condition
- CVE-2021-39162Sep 9, 2021affected < 1.18.4fixed 1.18.4
Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, can abnormally terminate if an H/2 GOAWAY and SETTINGS frame are received in the same IO event. This can lead to a DoS in the presence of untrusted *upstream* servers. 0.15.1 contains an up
- CVE-2021-32780Aug 24, 2021affected >= 1.18.0, < 1.18.4fixed 1.18.4
Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions Envoy transitions a H/2 connection to the CLOSED state when it receives a GOAWAY frame without any streams outstanding. The connection state is tr
- CVE-2021-32781Aug 24, 2021affected >= 1.16.0, < 1.16.5fixed 1.16.5
Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions after Envoy sends a locally generated response it must stop further processing of request or response data. However when local response is generat
- CVE-2021-32779Aug 24, 2021affected >= 1.16.0, < 1.16.5fixed 1.16.5
Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions envoy incorrectly handled a URI '#fragment' element as part of the path element. Envoy is configured with an RBAC filter for authorization or simi
- CVE-2021-32778Aug 24, 2021affected >= 1.16.0, < 1.16.5fixed 1.16.5
Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions envoy’s procedure for resetting a HTTP/2 stream has O(N^2) complexity, leading to high CPU utilization when a large number of streams are reset. D
- CVE-2021-32777Aug 24, 2021affected >= 1.16.0, < 1.16.5fixed 1.16.5
Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions when ext-authz extension is sending request headers to the external authorization service it must merge multiple value headers according to the HT
- CVE-2021-29492May 28, 2021affected < 1.15.5fixed 1.15.5
Envoy is a cloud-native edge/middle/service proxy. Envoy does not decode escaped slash sequences `%2F` and `%5C` in HTTP URL paths in versions 1.18.2 and before. A remote attacker may craft a path with escaped slashes, e.g. `/something%2F..%2Fadmin`, to bypass access control, e.g
- CVE-2021-29258May 20, 2021affected >= 1.14.6, < 1.14.7fixed 1.14.7
An issue was discovered in Envoy 1.14.0. There is a remotely exploitable crash for HTTP2 Metadata, because an empty METADATA map triggers a Reachable Assertion.
- CVE-2021-28683May 20, 2021affected >= 1.16.2, < 1.16.3fixed 1.16.3
An issue was discovered in Envoy through 1.71.1. There is a remotely exploitable NULL pointer dereference and crash in TLS when an unknown TLS alert code is received.
- CVE-2021-28682May 20, 2021affected >= 1.14.6, < 1.14.7fixed 1.14.7
An issue was discovered in Envoy through 1.71.1. There is a remotely exploitable integer overflow in which a very large grpc-timeout value leads to unexpected timeout calculations.
- CVE-2021-21378Mar 11, 2021affected >= 1.17.0, < 1.17.1fixed 1.17.1
Envoy is a cloud-native high-performance edge/middle/service proxy. In Envoy version 1.17.0 an attacker can bypass authentication by presenting a JWT token with an issuer that is not in the provider list when Envoy's JWT Authentication filter is configured with the `allow_missing
Page 4 of 5