Product:

Openshift_service_mesh

(Redhat)
Repositories

Unknown:

This might be proprietary software.
#Vulnerabilities 20
Date Id Summary Products Score Patch Annotated
2019-08-13 CVE-2019-9516 Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory. Traffic_server, Swiftnio, Ubuntu_linux, Debian_linux, Nginx, Fedora, Web_gateway, Node\.js, Leap, Graalvm, Enterprise_linux, Jboss_core_services, Jboss_enterprise_application_platform, Openshift_service_mesh, Quay, Software_collections, Diskstation_manager, Skynas, Vs960hd_firmware 6.5
2019-08-13 CVE-2019-9514 Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both. Traffic_server, Swiftnio, Ubuntu_linux, Debian_linux, Big\-Ip_local_traffic_manager, Fedora, Web_gateway, Cloud_insights, Trident, Node\.js, Leap, Graalvm, Developer_tools, Enterprise_linux, Enterprise_linux_eus, Enterprise_linux_server, Enterprise_linux_workstation, Jboss_core_services, Jboss_enterprise_application_platform, Openshift_container_platform, Openshift_service_mesh, Openstack, Quay, Single_sign\-On, Software_collections, Diskstation_manager, Skynas, Vs960hd_firmware 7.5
2019-08-13 CVE-2019-9517 Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both. Http_server, Traffic_server, Swiftnio, Ubuntu_linux, Debian_linux, Fedora, Web_gateway, Clustered_data_ontap, Node\.js, Leap, Communications_element_manager, Graalvm, Instantis_enterprisetrack, Retail_xstore_point_of_service, Enterprise_linux, Jboss_core_services, Jboss_enterprise_application_platform, Openshift_service_mesh, Quay, Software_collections, Diskstation_manager, Skynas, Vs960hd_firmware 7.5
2019-08-13 CVE-2019-9518 Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU. Traffic_server, Swiftnio, Ubuntu_linux, Debian_linux, Fedora, Web_gateway, Node\.js, Leap, Graalvm, Enterprise_linux, Jboss_core_services, Jboss_enterprise_application_platform, Openshift_service_mesh, Quay, Software_collections, Diskstation_manager, Skynas, Vs960hd_firmware 7.5
2019-08-13 CVE-2019-9515 Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. Traffic_server, Swiftnio, Ubuntu_linux, Debian_linux, Big\-Ip_local_traffic_manager, Fedora, Web_gateway, Node\.js, Leap, Graalvm, Enterprise_linux, Jboss_core_services, Jboss_enterprise_application_platform, Openshift_container_platform, Openshift_service_mesh, Openstack, Quay, Single_sign\-On, Software_collections, Diskstation_manager, Skynas, Vs960hd_firmware 7.5
2020-02-17 CVE-2020-1704 An insecure modification vulnerability in the /etc/passwd file was found in all versions of OpenShift ServiceMesh (maistra) before 1.0.8 in the openshift/istio-kialia-rhel7-operator-container. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges. Openshift_service_mesh 7.8
2020-03-26 CVE-2020-1764 A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions prior to 1.15.1. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio configuration. Kiali, Openshift_service_mesh 8.6
2020-04-27 CVE-2020-1762 An insufficient JWT validation vulnerability was found in Kiali versions 0.4.0 to 1.15.0 and was fixed in Kiali version 1.15.1, wherein a remote attacker could abuse this flaw by stealing a valid JWT cookie and using that to spoof a user session, possibly gaining privileges to view and alter the Istio configuration. Kiali, Openshift_service_mesh 8.6
2020-12-21 CVE-2020-27846 A signature verification vulnerability exists in crewjam/saml. This flaw allows an attacker to bypass SAML Authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. Fedora, Grafana, Enterprise_linux, Openshift_container_platform, Openshift_service_mesh, Saml 9.8
2023-09-23 CVE-2022-3962 A content spoofing vulnerability was found in Kiali. It was discovered that Kiali does not implement error handling when the page or endpoint being accessed cannot be found. This issue allows an attacker to perform arbitrary text injection when an error response is retrieved from the URL being accessed. Kiali, Openshift_service_mesh 4.3