CVE-2019-14993 — Incorrect Regular Expression in Istio

CWE-185 — Incorrect Regular Expression CWE-770 — Allocation of Resources Without Limits or Throttling CWE-400 — Uncontrolled Resource Consumption9 documents6 sources

Severity

7.5HIGHNVD

EPSS

0.7%

top 29.09%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Istio.io Istio Istio Envoyproxy Envoy

Timeline

PublishedAug 13

Latest updateMay 24

Description

Istio before 1.1.13 and 1.2.x before 1.2.4 mishandles regular expressions for long URIs, leading to a denial of service during use of the JWT, VirtualService, HTTPAPISpecBinding, or QuotaSpecBinding API.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDistio/istio1.2.0 — 1.2.4+1

▶Goistio.io/istio1.2.0 — 1.2.4+1

▶NVDenvoyproxy/envoy1.11.1

🔴Vulnerability Details

OSV

Istio ReDoS Vulnerability↗2022-05-24

▶

GHSA

GHSA-fgr2-cr98-vm44: In Envoy through 1↗2022-05-24

▶

GHSA

Istio ReDoS Vulnerability↗2022-05-24

▶

📋Vendor Advisories

Red Hat

istio/envoy: mishandling regular expressions for long URIs leading to DoS↗2019-10-09

▶

Red Hat

envoy: crafted request with long URI allows remote attacker to cause denial of service↗2019-08-19

▶

💬Community

Bugzilla

CVE-2019-15225 envoy: crafted request with long URI allows remote attacker to cause denial of service↗2019-10-25

▶

Bugzilla

CVE-2019-14993 istio/envoy: mishandling regular expressions for long URIs leading to DoS↗2019-10-09

▶