{"id":"CVE-2019-14993","details":"Istio before 1.1.13 and 1.2.x before 1.2.4 mishandles regular expressions for long URIs, leading to a denial of service during use of the JWT, VirtualService, HTTPAPISpecBinding, or QuotaSpecBinding API.","aliases":["GHSA-qcvw-82hh-gq38"],"modified":"2026-04-10T04:12:26.695076Z","published":"2019-08-13T18:15:13.117Z","related":["CGA-jr77-8987-2q2p"],"references":[{"type":"ADVISORY","url":"https://istio.io/blog/2019/istio-security-003-004/"},{"type":"ADVISORY","url":"https://discuss.istio.io/t/upcoming-security-updates-in-istio-1-2-4-and-1-1-13/3383"},{"type":"REPORT","url":"https://gcc.gnu.org/bugzilla/show_bug.cgi?id=86164"},{"type":"REPORT","url":"https://github.com/envoyproxy/envoy/issues/7728"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/istio/istio","events":[{"introduced":"0"},{"fixed":"bee64d9cd8ca9bae4e372469f25e85c5d497c61d"},{"introduced":"f8295503296ec6bae1b1047cc1491469d5e72754"},{"fixed":"94746ccd404a8e056483dd02e4e478097b950da6"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.1.13"},{"introduced":"1.2.0"},{"fixed":"1.2.4"}]}}],"versions":["0.3.0","0.5.0","0.6.0","1.0.0-snapshot.0","1.1.0","1.1.0-rc.0","1.1.0-rc.1","1.1.0-rc.2","1.1.0-rc.3","1.1.0-rc.4","1.1.0-rc.5","1.1.0-rc.6","1.1.0-snapshot.2","1.1.0-snapshot.3","1.1.0-snapshot.4","1.1.0-snapshot.5","1.1.0-snapshot.6","1.1.0.snapshot.0","1.1.0.snapshot.1","1.1.1","1.1.10","1.1.11","1.1.12","1.1.2","1.1.3","1.1.4","1.1.5","1.1.6","1.1.7","1.1.8","1.1.9","1.2.0","1.2.1","1.2.2","1.2.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-14993.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}