CVE-2019-25014

CWE-476 — NULL Pointer Dereference CWE-129 — Improper Array Index Validation CWE-125 — Out-of-bounds Read3 documents3 sources

Severity

6.5MEDIUM

EPSS

0.2%

top 63.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Istio Istio Redhat Openshift Service Mesh

Timeline

PublishedJan 29

Description

A NULL pointer dereference was found in pkg/proxy/envoy/v2/debug.go getResourceVersion in Istio pilot before 1.5.0-alpha.0. If a particular HTTP GET request is made to the pilot API endpoint, it is possible to cause the Go runtime to panic (resulting in a denial of service to the istio-pilot application).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶NVDistio/istio1.4.9

▶NVDredhat/openshift_service_mesh1.0

Patches

Patch: bugzilla.redhat.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

CVEList

CVE-2019-25014: A NULL pointer dereference was found in pkg/proxy/envoy/v2/debug↗2021-01-29

▶

📋Vendor Advisories

Red Hat

istio-pilot: requests to debug api can result in panic↗2019-11-06

▶