CVE-2020-10739

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2020-10739
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-10739.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2020-10739
Related
Published
2020-06-02T13:15:10Z
Modified
2025-01-08T10:27:36.192119Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

Istio 1.4.x before 1.4.9 and Istio 1.5.x before 1.5.4 contain the following vulnerability when telemetry v2 is enabled: by sending a specially crafted packet, an attacker could trigger a Null Pointer Exception resulting in a Denial of Service. This could be sent to the ingress gateway or a sidecar, triggering a null pointer exception which results in a denial of service. This also affects servicemesh-proxy where a null pointer exception flaw was found in servicemesh-proxy. When running Telemetry v2 (not on by default in version 1.4.x), an attacker could send a specially crafted packet to the ingress gateway or proxy sidecar, triggering a denial of service.

References

Affected packages

Git / github.com/istio/envoy

Affected ranges

Type
GIT
Repo
https://github.com/istio/envoy
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
8788a3cf255b647fd14e6b5e2585abaaedb28153
Fixed
8788a3cf255b647fd14e6b5e2585abaaedb28153
Type
GIT
Repo
https://github.com/istio/istio
Events
Introduced
c4def934e4f8d1feb42725da41ee0078cde8397f
Fixed
bdad3f25fef6e44c9485d7f0ae90b50e44a475b0

Affected versions

1.*

1.4.0
1.4.1
1.4.3
1.4.5
1.4.8

v1.*

v1.0.0
v1.1.0
v1.2.0
v1.3.0
v1.4.0

Other

vtest_image_tag
vtest_image_tag2