CVE-2019-18836

moderate-risk
Published 2019-11-11

Envoy 1.12.0 allows a remote denial of service because of resource loops, as demonstrated by a single idle TCP connection being able to keep a worker thread in an infinite busy loop when continue_on_listener_filters_timeout is used."

Do I need to act?

-
0.15% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (2)

Affected Vendors

Envoyproxy Istio

References (8)

Vendor Advisory https://blog.envoyproxy.io
Exploit https://github.com/envoyproxy/envoy/security/advisories/GHSA-3xvf-4396-cj46
Exploit https://github.com/istio/istio/issues/18229
https://groups.google.com/forum/#%21forum/envoy-users
Vendor Advisory https://blog.envoyproxy.io
Exploit https://github.com/envoyproxy/envoy/security/advisories/GHSA-3xvf-4396-cj46
Exploit https://github.com/istio/istio/issues/18229
https://groups.google.com/forum/#%21forum/envoy-users
34
/ 100
moderate-risk
Severity 26/34 · High
Exploitability 1/34 · Minimal
Exposure 7/34 · Low