CVE-2019-25014

Name of the Vulnerable Software and Affected Versions Istio pilot versions prior to 1.5.0-alpha.0

Description A NULL pointer dereference was found in the getResourceVersion function in pkg/proxy/envoy/v2/debug.go. If a particular HTTP GET request is made to the pilot API endpoint, it is possible to cause the Go runtime to panic, resulting in a denial of service to the istio-pilot application.

Recommendations For versions prior to 1.5.0-alpha.0, update to version 1.5.0-alpha.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the pilot API endpoint to minimize the risk of exploitation.