MidnightBSD

Advisories for projectcontour

CVE-2020-15127 MEDIUM

In Contour ( Ingress controller for Kubernetes) before version 1.7.0, a bad actor can shut down all instances of Envoy, essentially killing the entire ingress data plane. GET requests to /shutdown on port 8090 of the Envoy pod initiate Envoy's shutdown procedure. The shutdown procedure includes flipping the readiness endpoint to false, which removes Envoy from the routing pool. When running Envoy (For example on the host network, pod spec hostNetwork=true), the shutdown manager's endpoint is accessible to anyone on the network that can reach the Kubernetes node that's running Envoy. There is no authentication in place that prevents a rogue actor on the network from shutting down Envoy via the shutdown manager endpoint. Successful exploitation of this issue will lead to bad actors shutting down all instances of Envoy, essentially killing the entire ingress data plane. This is fixed in version 1.7.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-306,CWE-306,

Products Affected

Vendor Product Version
projectcontour contour *
CVE-2021-32783 MEDIUM

Contour is a Kubernetes ingress controller using Envoy proxy. In Contour before version 1.17.1 a specially crafted ExternalName type Service may be used to access Envoy's admin interface, which Contour normally prevents from access outside the Envoy container. This can be used to shut down Envoy remotely (a denial of service), or to expose the existence of any Secret that Envoy is using for its configuration, including most notably TLS Keypairs. However, it *cannot* be used to get the *content* of those secrets. Since this attack allows access to the administration interface, a variety of administration options are available, such as shutting down the Envoy or draining traffic. In general, the Envoy admin interface cannot easily be used for making changes to the cluster, in-flight requests, or backend services, but it could be used to shut down or drain Envoy, change traffic routing, or to retrieve secret metadata, as mentioned above. The issue will be addressed in Contour v1.18.0 and a cherry-picked patch release, v1.17.1, has been released to cover users who cannot upgrade at this time. For more details refer to the linked GitHub Security Advisory.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.5 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:H 3.1 4.7
security-advisories@github.com 8.5 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:H 3.1 4.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-441,CWE-610,

Products Affected

Vendor Product Version
projectcontour contour *
CVE-2023-44487

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
redhat jboss_fuse 6.0.0
openresty openresty *
f5 big-ip_ddos_hybrid_defender *
redhat cert-manager_operator_for_red_hat_openshift -
eclipse jetty *
redhat integration_camel_k -
f5 big-ip_next_service_proxy_for_kubernetes *
redhat network_observability_operator -
cisco unified_contact_center_enterprise -
f5 big-ip_application_visibility_and_reporting 17.1.0
f5 nginx_ingress_controller *
f5 big-ip_local_traffic_manager 17.1.0
nghttp2 nghttp2 *
f5 big-ip_global_traffic_manager *
f5 big-ip_fraud_protection_service 17.1.0
f5 big-ip_websafe *
netapp oncommand_insight -
microsoft windows_10_22h2 *
redhat openshift -
f5 big-ip_ssl_orchestrator 17.1.0
redhat jboss_a-mq 7
redhat advanced_cluster_management_for_kubernetes 2.0
cisco ultra_cloud_core_-_serving_gateway_function *
redhat quay 3.0.0
linkerd linkerd 2.14.1
microsoft windows_11_22h2 *
redhat openshift_secondary_scheduler_operator -
redhat openstack_platform 16.1
f5 big-ip_next 20.0.1
varnish_cache_project varnish_cache *
golang http2 *
redhat web_terminal -
redhat openshift_developer_tools_and_services -
redhat openstack_platform 17.1
grpc grpc *
debian debian_linux 10.0
redhat ceph_storage 5.0
traefik traefik 3.0.0
cisco crosswork_data_gateway *
cisco firepower_threat_defense *
cisco ultra_cloud_core_-_policy_control_function 2024.01.0
microsoft windows_10_21h2 *
redhat process_automation 7.0
cisco prime_access_registrar *
microsoft .net *
redhat openshift_container_platform_assisted_installer -
envoyproxy envoy 1.24.10
f5 big-ip_carrier-grade_nat 17.1.0
cisco ultra_cloud_core_-_session_management_function *
microsoft azure_kubernetes_service *
linkerd linkerd 2.14.0
cisco unified_contact_center_management_portal -
redhat run_once_duration_override_operator -
f5 big-ip_fraud_protection_service *
f5 big-ip_domain_name_system 17.1.0
redhat node_healthcheck_operator -
redhat cryostat 2.0
cisco prime_cable_provisioning *
f5 big-ip_application_security_manager *
f5 big-ip_link_controller 17.1.0
envoyproxy envoy 1.25.9
redhat cost_management -
redhat node_maintenance_operator -
cisco nx-os *
redhat enterprise_linux 9.0
cisco business_process_automation *
apache tomcat 11.0.0
redhat logging_subsystem_for_red_hat_openshift -
cisco crosswork_data_gateway 5.0
f5 big-ip_application_acceleration_manager 17.1.0
redhat openshift_data_science -
redhat openshift_gitops -
cisco iot_field_network_director *
microsoft windows_server_2022 -
apache solr *
linkerd linkerd *
cisco prime_network_registrar *
ietf http 2.0
cisco enterprise_chat_and_email -
kazu-yamamoto http2 *
redhat jboss_fuse 7.0.0
f5 nginx_plus *
redhat openshift_virtualization 4
caddyserver caddy *
f5 big-ip_websafe 17.1.0
netapp astra_control_center -
cisco prime_infrastructure *
f5 nginx_plus r30
f5 big-ip_policy_enforcement_manager 17.1.0
linkerd linkerd 2.13.0
redhat ansible_automation_platform 2.0
redhat certification_for_red_hat_enterprise_linux 8.0
redhat enterprise_linux 8.0
traefik traefik *
grpc grpc 1.57.0
cisco connected_mobile_experiences *
microsoft asp.net_core *
redhat integration_camel_for_spring_boot -
envoyproxy envoy 1.26.4
cisco secure_dynamic_attributes_connector *
cisco secure_malware_analytics *
cisco data_center_network_manager -
redhat migration_toolkit_for_applications 6.0
f5 big-ip_advanced_web_application_firewall 17.1.0
istio istio *
debian debian_linux 12.0
f5 big-ip_analytics *
redhat jboss_a-mq_streams -
jenkins jenkins *
redhat build_of_optaplanner 8.0
redhat openshift_api_for_data_protection -
netty netty *
nodejs node.js *
redhat jboss_enterprise_application_platform 7.0.0
konghq kong_gateway *
fedoraproject fedora 38
projectcontour contour *
cisco unified_contact_center_domain_manager -
facebook proxygen *
redhat machine_deletion_remediation_operator -
cisco ultra_cloud_core_-_policy_control_function *
cisco fog_director *
linecorp armeria *
microsoft windows_11_21h2 *
akka http_server *
microsoft visual_studio_2022 *
microsoft windows_10_1607 *
redhat fence_agents_remediation_operator -
redhat migration_toolkit_for_containers -
f5 big-ip_advanced_web_application_firewall *
golang go *
redhat 3scale_api_management_platform 2.0
redhat satellite 6.0
f5 big-ip_application_visibility_and_reporting *
redhat advanced_cluster_security 4.0
cisco crosswork_zero_touch_provisioning *
redhat openshift_pipelines -
f5 big-ip_application_security_manager 17.1.0
redhat openshift_dev_spaces -
microsoft windows_server_2016 -
f5 big-ip_global_traffic_manager 17.1.0
f5 big-ip_webaccelerator 17.1.0
microsoft cbl-mariner *
cisco unified_attendant_console_advanced -
cisco secure_web_appliance_firmware *
redhat jboss_data_grid 7.0.0
envoyproxy envoy 1.27.0
f5 big-ip_advanced_firewall_manager *
microsoft windows_10_1809 *
redhat integration_service_registry -
f5 big-ip_application_acceleration_manager *
redhat service_interconnect 1.0
f5 big-ip_carrier-grade_nat *
f5 big-ip_analytics 17.1.0
f5 nginx_plus r29
redhat openshift_service_mesh 2.0
redhat enterprise_linux 6.0
redhat service_telemetry_framework 1.5
f5 big-ip_ddos_hybrid_defender 17.1.0
redhat support_for_spring_boot -
debian debian_linux 11.0
f5 big-ip_policy_enforcement_manager *
f5 big-ip_advanced_firewall_manager 17.1.0
apache apisix *
redhat openshift_distributed_tracing -
redhat jboss_enterprise_application_platform 6.0.0
fedoraproject fedora 37
cisco ios_xe *
redhat certification_for_red_hat_enterprise_linux 9.0
apache tomcat *
apple swiftnio_http/2 *
dena h2o *
redhat advanced_cluster_security 3.0
f5 big-ip_ssl_orchestrator *
redhat openshift_serverless -
amazon opensearch_data_prepper *
redhat openstack_platform 16.2
f5 big-ip_local_traffic_manager *
cisco crosswork_situation_manager -
f5 big-ip_access_policy_manager *
microsoft windows_server_2019 -
f5 big-ip_link_controller *
f5 big-ip_domain_name_system *
cisco telepresence_video_communication_server *
cisco ios_xr *
redhat single_sign-on 7.0
redhat decision_manager 7.0
f5 big-ip_access_policy_manager 17.1.0
redhat migration_toolkit_for_virtualization -
golang networking *
cisco expressway *
redhat openshift_container_platform 4.0
f5 nginx *
redhat self_node_remediation_operator -
redhat build_of_quarkus -
linkerd linkerd 2.13.1
apache traffic_server *
f5 big-ip_webaccelerator *
cisco unified_contact_center_enterprise_-_live_data_server *
redhat jboss_core_services -
redhat openshift_sandboxed_containers -
CVE-2024-36539

Insecure permissions in contour v1.28.3 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token.

Products Affected

Vendor Product Version
projectcontour contour 1.28.3
CVE-2026-41246

Contour is a Kubernetes ingress controller using Envoy proxy. From v1.19.0 to before v1.33.4, v1.32.5, and v1.31.6, Contour's Cookie Rewriting feature is vulnerable to Lua code injection. An attacker with RBAC permissions to create or modify HTTPProxy resources can craft a malicious value in spec.routes[].cookieRewritePolicies[].pathRewrite.value or spec.routes[].services[].cookieRewritePolicies[].pathRewrite.value that results in arbitrary code execution in the Envoy proxy. The cookie rewriting feature is internally implemented using Envoy's HTTP Lua filter. User-controlled values are interpolated into Lua source code using Go text/template without sufficient sanitization. The injected code only executes when processing traffic on the attacker's own route, which they already control. However, since Envoy runs as shared infrastructure, the injected code can also read Envoy's xDS client credentials from the filesystem or cause denial of service for other tenants sharing the Envoy instance. This vulnerability is fixed in v1.33.4, v1.32.5, and v1.31.6.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H 2.8 5.2

Products Affected

Vendor Product Version
projectcontour contour *