7.5
CVE-2024-34363 - Envoy can crash due to uncaught nlohmann JSON exception
Envoy is a cloud-native, open source edge and service proxy. Due to how Envoy invoked the nlohmann JSON library, the library could throw an uncaught exception from downstream data if incomplete UTF-8 strings were serialized. The uncaught exception would cause Envoy to crash.
5.9
CVE-2024-32975 - Envoy crashes in QuicheDataReader::PeekVarInt62Length()
Envoy is a cloud-native, open source edge and service proxy. There is a crash at `QuicheDataReader::PeekVarInt62Length()`. It is caused by integer underflow in the `QuicStreamSequencerBuffer::PeekRegion()` implementation.
5.9
CVE-2023-1419 - Debezium: script injection via connector parameter
A script injection vulnerability was found in the Debezium database connector, where it does not properly sanitize some parameters. This flaw allows an attacker to send a malicious request to inject a parameter that may allow the viewing of unauthorized data.
5.7
CVE-2024-34364 - Envoy OOM vector from HTTP async client with unbounded response buffer for mirror response
Envoy is a cloud-native, open source edge and service proxy. Envoy exposed an out-of-memory (OOM) vector from the mirror response, since async HTTP client will buffer the response with an unbounded buffer.
5.9
CVE-2024-23326 - Envoy incorrectly accepts HTTP 200 response for entering upgrade mode
Envoy is a cloud-native, open source edge and service proxy. A theoretical request smuggling vulnerability exists through Envoy if a server can be tricked into adding an upgrade header into a response. Per RFC https://www.rfc-editor.org/rfc/rfc7230#section-6.7 a server sends 101 when switching protβ¦
9.8
CVE-2024-24790 - Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses in net/netip
The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.
5.9
CVE-2024-32974 - Envoy affected by a crash in EnvoyQuicServerStream::OnInitialHeadersComplete()
Envoy is a cloud-native, open source edge and service proxy. A crash was observed in `EnvoyQuicServerStream::OnInitialHeadersComplete()` with following call stack. It is a use-after-free caused by QUICHE continuing push request headers after `StopReading()` being called on the stream. As after `Stoβ¦
5.3
CVE-2024-24789 - Mishandling of corrupt central directory record in archive/zip
The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects fiβ¦
5.4
CVE-2024-28103 - Action Pack is missing security headers on non-HTML responses
Action Pack is a framework for handling and responding to web requests. Since 6.1.0, the application configurable Permissions-Policy is only served on responses with an HTML related Content-Type. This vulnerability is fixed in 6.1.7.8, 7.0.8.2, and 7.1.3.3.
4.3
CVE-2023-28492 - WordPress Calendar Event Multi View plugin <= 1.4.10 - Missing Authorization Leading To Feedback Suβ¦
Missing Authorization vulnerability in CodePeople CP Multi View Event Calendar allows Functionality Misuse.This issue affects CP Multi View Event Calendar: from n/a through 1.4.10.