Istio pilot before v1.5.0-alpha.0 is susceptible to an array out of range panic. If a crafted HTTP GET request is made to the pilot debug API endpoint, it is possible to cause the Go runtime to panic resulting in a denial of service to the istio-pilot application.
Upstream fix: https://github.com/istio/istio/commit/d96a9b6ce1ffc3deef46ffd3d356368be228f96a
This issue has been addressed in the following products: OpenShift Service Mesh 1.1 Via RHSA-2021:1322 https://access.redhat.com/errata/RHSA-2021:1322
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-25014