Upgrade RHEL:8 mysql:8.0/mysql-errmsg to version 0:8.0.30-1.module+el8.6.0+16523+5cb0e868 or higher. This issue was patched in RHSA-2022:7119 .

CVE-2021-35607 in mysql:8.0/mysql-errmsg | CVE-2021-35607

Threat Intelligence

0.05% (18^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-CHAINGUARDLATEST-ENVOYGATEWAY-8662980
published25 Jan 2025
disclosed23 Jan 2025

Report a new vulnerability Found a mistake?

Introduced: 23 Jan 2025

NewCVE-2025-24030 (opens in a new tab) CWE-419 (opens in a new tab)

How to fix?

Upgrade Chainguard envoy-gateway to version 1.2.6-r0 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream envoy-gateway package and not the envoy-gateway package as distributed by Chainguard. See How to fix? for Chainguard relevant fixed versions and status.

Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. A user with access to the Kubernetes cluster can use a path traversal attack to execute Envoy Admin interface commands on proxies managed by any version of Envoy Gateway prior to 1.2.6. The admin interface can be used to terminate the Envoy process and extract the Envoy configuration (possibly containing confidential data). Version 1.2.6 fixes the issue. As a workaround, the EnvoyProxy API can be used to apply a bootstrap config patch that restricts access strictly to the prometheus stats endpoint. Find below an example of such a bootstrap patch.

Unprotected Primary Channel Affecting envoy-gateway package, versions <1.2.6-r0

Severity

Threat Intelligence

Do your applications use this vulnerable package?

Introduced: 23 Jan 2025

How to fix?

NVD Description

References