Giter Site home page Giter Site logo

katerinaorg / envoy Goto Github PK

View Code? Open in Web Editor NEW

This project forked from envoyproxy/envoy

0.0 0.0 0.0 129.51 MB

Cloud-native high-performance edge/middle/service proxy

Home Page: https://www.envoyproxy.io

License: Apache License 2.0

Shell 0.54% C++ 91.84% Python 2.00% C 0.04% Emacs Lisp 0.01% PureBasic 0.01% Go 0.01% Thrift 0.01% Dockerfile 0.01% Rust 0.12% Starlark 5.31% Makefile 0.01% Batchfile 0.01% Jinja 0.14%

envoy's People

Contributors

akonradi avatar alyssawilk avatar antoniovicente avatar asraa avatar ccaraman avatar danzh2010 avatar derekargueta avatar dio avatar dnoe avatar fredlas avatar ggreenway avatar htuch avatar jmarantz avatar junr03 avatar kbaichoo avatar kyessenov avatar lambdai avatar lizan avatar mattklein123 avatar moderation avatar phlax avatar piotrsikora avatar qiwzhang avatar ramaraochavali avatar rgs1 avatar romandzhabarov avatar snowp avatar sunjaybhatia avatar yanavlasov avatar zuercher avatar

envoy's Issues

CVE-2018-17846 (High) detected in github.com/envoyproxy/protoc-gen-validate-v0.1.0

CVE-2018-17846 - High Severity Vulnerability

Vulnerable Library - github.com/envoyproxy/protoc-gen-validate-v0.1.0

protoc plugin to generate polyglot message validators

Dependency Hierarchy:

  • github.com/envoyproxy/go-control-plane-v0.9.5 (Root Library)
    • github.com/envoyproxy/protoc-gen-validate-v0.1.0 (Vulnerable Library)

Found in HEAD commit: fa466b4cb231cf20de932a98d0953a1952d1cac5

Found in base branch: main

Vulnerability Details

The html package (aka x/net/html) through 2018-09-25 in Go mishandles

, leading to an infinite loop during an html.Parse call because inSelectIM and inSelectInTableIM do not comply with a specification.

Publish Date: 2018-10-01

URL: CVE-2018-17846

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2021-31525 (Medium) detected in multiple libraries

CVE-2021-31525 - Medium Severity Vulnerability

Vulnerable Libraries - github.com/golang/net-5ee1b9f4859acd2e99987ef94ec7a58427c53bef, github.com/golang/net-c89045814202410a2d67ec20ecf177ec77ceae7f, github.com/envoyproxy/protoc-gen-validate-v0.1.0, github.com/golang/net-b630fd6fe46bcfc98f989005d8b8ec1400e60a6e

github.com/golang/net-5ee1b9f4859acd2e99987ef94ec7a58427c53bef

[mirror] Go supplementary network libraries

Dependency Hierarchy:

  • github.com/golang/net-5ee1b9f4859acd2e99987ef94ec7a58427c53bef (Vulnerable Library)
github.com/golang/net-c89045814202410a2d67ec20ecf177ec77ceae7f

[mirror] Go supplementary network libraries

Dependency Hierarchy:

  • github.com/grpc/grpc-go-v1.36.0 (Root Library)
    • github.com/golang/net-c89045814202410a2d67ec20ecf177ec77ceae7f (Vulnerable Library)
github.com/envoyproxy/protoc-gen-validate-v0.1.0

protoc plugin to generate polyglot message validators

Dependency Hierarchy:

  • github.com/envoyproxy/go-control-plane-v0.9.5 (Root Library)
    • github.com/envoyproxy/protoc-gen-validate-v0.1.0 (Vulnerable Library)
github.com/golang/net-b630fd6fe46bcfc98f989005d8b8ec1400e60a6e

[mirror] Go supplementary network libraries

Dependency Hierarchy:

  • github.com/grpc/grpc-go-v1.25.1 (Root Library)
    • github.com/golang/net-b630fd6fe46bcfc98f989005d8b8ec1400e60a6e (Vulnerable Library)

Found in HEAD commit: fa466b4cb231cf20de932a98d0953a1952d1cac5

Found in base branch: main

Vulnerability Details

net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.

Publish Date: 2021-05-27

URL: CVE-2021-31525

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1958341

Release Date: 2021-04-22

Fix Resolution: golang - v1.15.12,v1.16.4,v1.17.0

CVE-2021-3121 (High) detected in github.com/envoyproxy/protoc-gen-validate-v0.1.0

CVE-2021-3121 - High Severity Vulnerability

Vulnerable Library - github.com/envoyproxy/protoc-gen-validate-v0.1.0

protoc plugin to generate polyglot message validators

Dependency Hierarchy:

  • github.com/envoyproxy/go-control-plane-v0.9.5 (Root Library)
    • github.com/envoyproxy/protoc-gen-validate-v0.1.0 (Vulnerable Library)

Found in HEAD commit: fa466b4cb231cf20de932a98d0953a1952d1cac5

Found in base branch: main

Vulnerability Details

An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.

Publish Date: 2021-01-11

URL: CVE-2021-3121

CVSS 3 Score Details (8.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3121

Release Date: 2021-01-11

Fix Resolution: v1.3.2

CVE-2021-38561 (High) detected in github.com/golang/text-v0.3.0, github.com/envoyproxy/protoc-gen-validate-v0.1.0

CVE-2021-38561 - High Severity Vulnerability

Vulnerable Libraries - github.com/golang/text-v0.3.0, github.com/envoyproxy/protoc-gen-validate-v0.1.0

github.com/golang/text-v0.3.0

[mirror] Go text processing support

Dependency Hierarchy:

  • github.com/grpc/grpc-go-v1.25.1 (Root Library)
    • github.com/golang/net-b630fd6fe46bcfc98f989005d8b8ec1400e60a6e
      • github.com/golang/text-v0.3.0 (Vulnerable Library)
github.com/envoyproxy/protoc-gen-validate-v0.1.0

protoc plugin to generate polyglot message validators

Dependency Hierarchy:

  • github.com/envoyproxy/go-control-plane-v0.9.5 (Root Library)
    • github.com/envoyproxy/protoc-gen-validate-v0.1.0 (Vulnerable Library)

Found in HEAD commit: fa466b4cb231cf20de932a98d0953a1952d1cac5

Found in base branch: main

Vulnerability Details

Due to improper index calculation, an incorrectly formatted language tag can cause Parse
to panic, due to an out of bounds read. If Parse is used to process untrusted user inputs,
this may be used as a vector for a denial of service attack.

Publish Date: 2021-08-12

URL: CVE-2021-38561

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GO-2021-0113

Release Date: 2021-08-12

Fix Resolution: v0.3.7

CVE-2020-14040 (High) detected in github.com/envoyproxy/protoc-gen-validate-v0.1.0, github.com/golang/text-v0.3.0

CVE-2020-14040 - High Severity Vulnerability

Vulnerable Libraries - github.com/envoyproxy/protoc-gen-validate-v0.1.0, github.com/golang/text-v0.3.0

github.com/envoyproxy/protoc-gen-validate-v0.1.0

protoc plugin to generate polyglot message validators

Dependency Hierarchy:

  • github.com/envoyproxy/go-control-plane-v0.9.5 (Root Library)
    • github.com/envoyproxy/protoc-gen-validate-v0.1.0 (Vulnerable Library)
github.com/golang/text-v0.3.0

[mirror] Go text processing support

Dependency Hierarchy:

  • github.com/grpc/grpc-go-v1.25.1 (Root Library)
    • github.com/golang/net-b630fd6fe46bcfc98f989005d8b8ec1400e60a6e
      • github.com/golang/text-v0.3.0 (Vulnerable Library)

Found in HEAD commit: fa466b4cb231cf20de932a98d0953a1952d1cac5

Found in base branch: main

Vulnerability Details

The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.

Publish Date: 2020-06-17

URL: CVE-2020-14040

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GO-2020-0015

Release Date: 2020-06-17

Fix Resolution: v0.3.3

CVE-2018-17848 (High) detected in github.com/envoyproxy/protoc-gen-validate-v0.1.0

CVE-2018-17848 - High Severity Vulnerability

Vulnerable Library - github.com/envoyproxy/protoc-gen-validate-v0.1.0

protoc plugin to generate polyglot message validators

Dependency Hierarchy:

  • github.com/envoyproxy/go-control-plane-v0.9.5 (Root Library)
    • github.com/envoyproxy/protoc-gen-validate-v0.1.0 (Vulnerable Library)

Found in HEAD commit: fa466b4cb231cf20de932a98d0953a1952d1cac5

Found in base branch: main

Vulnerability Details

The html package (aka x/net/html) through 2018-09-25 in Go mishandles , leading to a "panic: runtime error" (index out of range) in (*insertionModeStack).pop in node.go, called from inHeadIM, during an html.Parse call.

Publish Date: 2018-10-01

URL: CVE-2018-17848

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2021-27918 (High) detected in multiple libraries

CVE-2021-27918 - High Severity Vulnerability

Vulnerable Libraries - github.com/envoyproxy/protoc-gen-validate-v0.1.0, github.com/golang/net-b630fd6fe46bcfc98f989005d8b8ec1400e60a6e, github.com/golang/net-5ee1b9f4859acd2e99987ef94ec7a58427c53bef

github.com/envoyproxy/protoc-gen-validate-v0.1.0

protoc plugin to generate polyglot message validators

Dependency Hierarchy:

  • github.com/envoyproxy/go-control-plane-v0.9.5 (Root Library)
    • github.com/envoyproxy/protoc-gen-validate-v0.1.0 (Vulnerable Library)
github.com/golang/net-b630fd6fe46bcfc98f989005d8b8ec1400e60a6e

[mirror] Go supplementary network libraries

Dependency Hierarchy:

  • github.com/grpc/grpc-go-v1.25.1 (Root Library)
    • github.com/golang/net-b630fd6fe46bcfc98f989005d8b8ec1400e60a6e (Vulnerable Library)
github.com/golang/net-5ee1b9f4859acd2e99987ef94ec7a58427c53bef

[mirror] Go supplementary network libraries

Dependency Hierarchy:

  • github.com/golang/net-5ee1b9f4859acd2e99987ef94ec7a58427c53bef (Vulnerable Library)

Found in HEAD commit: fa466b4cb231cf20de932a98d0953a1952d1cac5

Found in base branch: main

Vulnerability Details

encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.

Publish Date: 2021-03-11

URL: CVE-2021-27918

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw

Release Date: 2021-03-11

Fix Resolution: 1.15.9, 1.16.1

CVE-2018-17847 (High) detected in github.com/envoyproxy/protoc-gen-validate-v0.1.0

CVE-2018-17847 - High Severity Vulnerability

Vulnerable Library - github.com/envoyproxy/protoc-gen-validate-v0.1.0

protoc plugin to generate polyglot message validators

Dependency Hierarchy:

  • github.com/envoyproxy/go-control-plane-v0.9.5 (Root Library)
    • github.com/envoyproxy/protoc-gen-validate-v0.1.0 (Vulnerable Library)

Found in HEAD commit: fa466b4cb231cf20de932a98d0953a1952d1cac5

Found in base branch: main

Vulnerability Details

The html package (aka x/net/html) through 2018-09-25 in Go mishandles , leading to a "panic: runtime error" (index out of range) in (*nodeStack).pop in node.go, called from (*parser).clearActiveFormattingElements, during an html.Parse call.

Publish Date: 2018-10-01

URL: CVE-2018-17847

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2021-33194 (High) detected in multiple libraries

CVE-2021-33194 - High Severity Vulnerability

Vulnerable Libraries - github.com/golang/net-b630fd6fe46bcfc98f989005d8b8ec1400e60a6e, github.com/golang/net-c89045814202410a2d67ec20ecf177ec77ceae7f, github.com/golang/net-5ee1b9f4859acd2e99987ef94ec7a58427c53bef, github.com/envoyproxy/protoc-gen-validate-v0.1.0

github.com/golang/net-b630fd6fe46bcfc98f989005d8b8ec1400e60a6e

[mirror] Go supplementary network libraries

Dependency Hierarchy:

  • github.com/grpc/grpc-go-v1.25.1 (Root Library)
    • github.com/golang/net-b630fd6fe46bcfc98f989005d8b8ec1400e60a6e (Vulnerable Library)
github.com/golang/net-c89045814202410a2d67ec20ecf177ec77ceae7f

[mirror] Go supplementary network libraries

Dependency Hierarchy:

  • github.com/grpc/grpc-go-v1.36.0 (Root Library)
    • github.com/golang/net-c89045814202410a2d67ec20ecf177ec77ceae7f (Vulnerable Library)
github.com/golang/net-5ee1b9f4859acd2e99987ef94ec7a58427c53bef

[mirror] Go supplementary network libraries

Dependency Hierarchy:

  • github.com/golang/net-5ee1b9f4859acd2e99987ef94ec7a58427c53bef (Vulnerable Library)
github.com/envoyproxy/protoc-gen-validate-v0.1.0

protoc plugin to generate polyglot message validators

Dependency Hierarchy:

  • github.com/envoyproxy/go-control-plane-v0.9.5 (Root Library)
    • github.com/envoyproxy/protoc-gen-validate-v0.1.0 (Vulnerable Library)

Found in HEAD commit: fa466b4cb231cf20de932a98d0953a1952d1cac5

Found in base branch: main

Vulnerability Details

golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.

Publish Date: 2021-05-26

URL: CVE-2021-33194

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33194

Release Date: 2021-05-26

Fix Resolution: golang.org/x/net - v0.0.0-20210520170846-37e1c6afe023

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.