wadeling / envoy Goto Github PK
View Code? Open in Web Editor NEWThis project forked from envoyproxy/envoy
Cloud-native high-performance edge/middle/service proxy
Home Page: https://www.envoyproxy.io
License: Apache License 2.0
This project forked from envoyproxy/envoy
Cloud-native high-performance edge/middle/service proxy
Home Page: https://www.envoyproxy.io
License: Apache License 2.0
*ATTENTION!: The content of this repo is merged into https://github.com/envoyproxy/envoy and future development is happening there.
Library home page: https://github.com/envoyproxy/envoy-wasm.git
Found in HEAD commit: 320650059a0b0796f39380aaca16815f2f8a4625
Found in base branch: master
An issue was discovered in Envoy 1.12.0. An untrusted remote client may send an HTTP header (such as Host) with whitespace after the header content. Envoy will treat "header-value " as a different string from "header-value" so for example with the Host header "example.com " one could bypass "example.com" matchers.
Publish Date: 2019-12-13
URL: CVE-2019-18802
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18802
Release Date: 2019-12-13
Fix Resolution: 1.12.2
Step up your Open Source Security Game with WhiteSource here
*ATTENTION!: The content of this repo is merged into https://github.com/envoyproxy/envoy and future development is happening there.
Library home page: https://github.com/envoyproxy/envoy-wasm.git
Found in HEAD commit: 320650059a0b0796f39380aaca16815f2f8a4625
Found in base branch: master
An issue was discovered in Envoy through 1.71.1. There is a remotely exploitable NULL pointer dereference and crash in TLS when an unknown TLS alert code is received.
Publish Date: 2021-05-20
URL: CVE-2021-28683
Base Score Metrics:
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1942263
Release Date: 2021-03-18
Fix Resolution: v1.17.2
Step up your Open Source Security Game with WhiteSource here
Pygments is a syntax highlighting package written in Python.
Library home page: https://files.pythonhosted.org/packages/02/ee/b6e02dc6529e82b75bb06823ff7d005b141037cb1416b10c6f00fc419dca/Pygments-2.2.0-py2.py3-none-any.whl
Path to dependency file: envoy/docs/requirements.txt
Path to vulnerable library: envoy/docs/requirements.txt,envoy/docs/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 320650059a0b0796f39380aaca16815f2f8a4625
Found in base branch: master
An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.
Publish Date: 2021-03-23
URL: CVE-2021-20270
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-9w8r-397f-prfh
Release Date: 2021-03-23
Fix Resolution: Pygments - 20.12.3
Step up your Open Source Security Game with WhiteSource here
Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier may exhaust file descriptors and/or memory when accepting too many connections.
Publish Date: 2020-07-01
URL: CVE-2020-8663
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-v8q7-fq78-4997
Release Date: 2020-07-01
Fix Resolution: 1.14.3, 1.13.3, 1.12.5
Step up your Open Source Security Game with WhiteSource here
In Envoy through 1.11.1, users may configure a route to match incoming path headers via the libstdc++ regular expression implementation. A remote attacker may send a request with a very long URI to result in a denial of service (memory consumption). This is a related issue to CVE-2019-14993.
Publish Date: 2019-08-19
URL: CVE-2019-15225
Base Score Metrics:
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-15225
Release Date: 2019-08-19
Fix Resolution: v1.11.2
Step up your Open Source Security Game with WhiteSource here
Pygments is a syntax highlighting package written in Python.
Library home page: https://files.pythonhosted.org/packages/02/ee/b6e02dc6529e82b75bb06823ff7d005b141037cb1416b10c6f00fc419dca/Pygments-2.2.0-py2.py3-none-any.whl
Path to dependency file: envoy/docs/requirements.txt
Path to vulnerable library: envoy/docs/requirements.txt,envoy/docs/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 320650059a0b0796f39380aaca16815f2f8a4625
Found in base branch: master
In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service.
Publish Date: 2021-03-17
URL: CVE-2021-27291
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/pygments/pygments/releases/tag/2.7.4
Release Date: 2021-03-17
Fix Resolution: Pygments - 2.7.4
Step up your Open Source Security Game with WhiteSource here
Envoy is a cloud-native edge/middle/service proxy. Envoy does not decode escaped slash sequences %2F
and %5C
in HTTP URL paths in versions 1.18.2 and before. A remote attacker may craft a path with escaped slashes, e.g. /something%2F..%2Fadmin
, to bypass access control, e.g. a block on /admin
. A backend server could then decode slash sequences and normalize path and provide an attacker access beyond the scope provided for by the access control policy. ### Impact Escalation of Privileges when using RBAC or JWT filters with enforcement based on URL path. Users with back end servers that interpret %2F
and /
and %5C
and \
interchangeably are impacted. ### Attack Vector URL paths containing escaped slash characters delivered by untrusted client. Patches in versions 1.18.3, 1.17.3, 1.16.4, 1.15.5 contain new path normalization option to decode escaped slash characters. As a workaround, if back end servers treat %2F
and /
and %5C
and \
interchangeably and a URL path based access control is configured, one may reconfigure the back end server to not treat %2F
and /
and %5C
and \
interchangeably.
Publish Date: 2021-05-28
URL: CVE-2021-29492
Base Score Metrics:
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1951188
Release Date: 2021-03-31
Fix Resolution: v1.15.5, v1.16.4, v1.17.3, v1.18.3
Step up your Open Source Security Game with WhiteSource here
Envoy master between 2d69e30 and 3b5acb2 may fail to parse request URL that requires host canonicalization.
Publish Date: 2020-10-01
URL: CVE-2020-25018
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
*ATTENTION!: The content of this repo is merged into https://github.com/envoyproxy/envoy and future development is happening there.
Library home page: https://github.com/envoyproxy/envoy-wasm.git
Found in HEAD commit: 320650059a0b0796f39380aaca16815f2f8a4625
Found in base branch: master
In Envoy before versions 1.12.6, 1.13.4, 1.14.4, and 1.15.0 when validating TLS certificates, Envoy would incorrectly allow a wildcard DNS Subject Alternative Name apply to multiple subdomains. For example, with a SAN of *.example.com, Envoy would incorrectly allow nested.subdomain.example.com, when it should only allow subdomain.example.com. This defect applies to both validating a client TLS certificate in mTLS, and validating a server TLS certificate for upstream connections. This vulnerability is only applicable to situations where an untrusted entity can obtain a signed wildcard TLS certificate for a domain of which you only intend to trust a subdomain of. For example, if you intend to trust api.mysubdomain.example.com, and an untrusted actor can obtain a signed TLS certificate for *.example.com or *.com. Configurations are vulnerable if they use verify_subject_alt_name in any Envoy version, or if they use match_subject_alt_names in version 1.14 or later. This issue has been fixed in Envoy versions 1.12.6, 1.13.4, 1.14.4, 1.15.0.
Publish Date: 2020-07-14
URL: CVE-2020-15104
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-w5f5-6qhq-hhrg
Release Date: 2020-07-14
Fix Resolution: 1.12.6,1.13.4,1.14.4,1.15.0
Step up your Open Source Security Game with WhiteSource here
Envoy through 1.15.0 only considers the first value when multiple header values are present for some HTTP headers. Envoy’s setCopy() header map API does not replace all existing occurences of a non-inline header.
Publish Date: 2020-10-01
URL: CVE-2020-25017
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-2v25-cjjq-5f4w
Release Date: 2020-08-30
Fix Resolution: 1.12.7, 1.13.5, 1.14.5, 1.15.1
Step up your Open Source Security Game with WhiteSource here
*ATTENTION!: The content of this repo is merged into https://github.com/envoyproxy/envoy and future development is happening there.
Library home page: https://github.com/envoyproxy/envoy-wasm.git
Found in HEAD commit: 320650059a0b0796f39380aaca16815f2f8a4625
Found in base branch: master
Envoy is a cloud-native high-performance edge/middle/service proxy. In Envoy version 1.17.0 an attacker can bypass authentication by presenting a JWT token with an issuer that is not in the provider list when Envoy's JWT Authentication filter is configured with the allow_missing
requirement under requires_any
due to a mistake in implementation. Envoy's JWT Authentication filter can be configured with the allow_missing
requirement that will be satisfied if JWT is missing (JwtMissed error) and fail if JWT is presented or invalid. Due to a mistake in implementation, a JwtUnknownIssuer error was mistakenly converted to JwtMissed when requires_any
was configured. So if allow_missing
was configured under requires_any
, an attacker can bypass authentication by presenting a JWT token with an issuer that is not in the provider list. Integrity may be impacted depending on configuration if the JWT token is used to protect against writes or modifications. This regression was introduced on 2020/11/12 in PR 13839 which fixed handling allow_missing
under RequiresAny in a JwtRequirement (see issue 13458). The AnyVerifier aggregates the children verifiers' results into a final status where JwtMissing is the default error. However, a JwtUnknownIssuer was mistakenly treated the same as a JwtMissing error and the resulting final aggregation was the default JwtMissing. As a result, allow_missing
would allow a JWT token with an unknown issuer status. This is fixed in version 1.17.1 by PR 15194. The fix works by preferring JwtUnknownIssuer over a JwtMissing error, fixing the accidental conversion and bypass with allow_missing
. A user could detect whether a bypass occurred if they have Envoy logs enabled with debug verbosity. Users can enable component level debug logs for JWT. The JWT filter logs will indicate that there is a request with a JWT token and a failure that the JWT token is missing.
Publish Date: 2021-03-11
URL: CVE-2021-21378
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-4996-m8hf-hj27
Release Date: 2021-03-11
Fix Resolution: v1.17.1
Step up your Open Source Security Game with WhiteSource here
A very fast and expressive template engine.
Library home page: https://files.pythonhosted.org/packages/1d/e7/fd8b501e7a6dfe492a433deb7b9d833d39ca74916fa8bc63dd1a4947a671/Jinja2-2.10.1-py2.py3-none-any.whl
Path to dependency file: envoy/docs/requirements.txt
Path to vulnerable library: envoy/docs/requirements.txt,envoy/docs/requirements.txt,envoy/configs/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 320650059a0b0796f39380aaca16815f2f8a4625
Found in base branch: master
This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the _punctuation_re regex
operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.
Publish Date: 2021-02-01
URL: CVE-2020-28493
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28493
Release Date: 2021-02-01
Fix Resolution: Jinja2 - 2.11.3
Step up your Open Source Security Game with WhiteSource here
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.