Advisories for Golang/Github.com/Kumahq/Kuma package

2023

github.com/kumahq/kuma affected by CVE-2023-44487

Impact Envoy and Go HTTP/2 protocol stack is vulnerable to the "Rapid Reset" class of exploits, which send a sequence of HEADERS frames optionally followed by RST_STREAM frames. This can be exercised if you use the builtin gateway and receive untrusted http2 traffic. Workarounds Disable http2 on the gateway listener with a MeshProxyPatch or ProxyTemplate.