Envoy 1.9.0 and before does not normalize HTTP URL paths. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Authentication Bypass
Envoy
NVD
GitHub
CVSS 3.0
10.0
EPSS
2.7%
Cloud Foundry cf-deployment, versions prior to 7.9.0, contain java components that are using an insecure protocol to fetch dependencies when building. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Code Injection
Java
Cf Deployment
Credhub
Uaa Release
NVD
CVSS 3.1
9.8
EPSS
0.6%