Vulnerability Details : CVE-2019-14993
Potential exploit
Istio before 1.1.13 and 1.2.x before 1.2.4 mishandles regular expressions for long URIs, leading to a denial of service during use of the JWT, VirtualService, HTTPAPISpecBinding, or QuotaSpecBinding API.
Vulnerability category: Denial of service
Products affected by CVE-2019-14993
- cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*
- cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-14993
0.79%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 72 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-14993
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
|
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2019-14993
-
The product specifies a regular expression in a way that causes data to be improperly matched or compared.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-14993
-
https://github.com/envoyproxy/envoy/issues/7728
route regex match fails for large URIs · Issue #7728 · envoyproxy/envoy · GitHubExploit;Issue Tracking;Third Party Advisory
-
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=86164
86164 – std::regex crashes when matching long linesExploit;Issue Tracking;Third Party Advisory
-
https://istio.io/blog/2019/istio-security-003-004/
Istio / ISTIO-SECURITY-2019-003Vendor Advisory
-
https://discuss.istio.io/t/upcoming-security-updates-in-istio-1-2-4-and-1-1-13/3383
Upcoming security updates in Istio 1.2.4 and 1.1.13 - Announcements - Discuss IstioVendor Advisory
Jump to