CVE-2021-39156 – istio.io/istio

Package

Manager: go
Name: istio.io/istio
Vulnerable Version: >=0 <1.9.8 || >=1.10.0 <1.10.4 || =1.11.0 || >=1.11.0 <1.11.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00291 pctl0.52018

Details

Istio Fragments in Path May Lead to Authorization Policy Bypass ### Impact Istio 1.11.0, 1.10.3 and below, and 1.9.7 and below contain a remotely exploitable vulnerability where an HTTP request with `#fragment` in the path may bypass Istio’s URI path based authorization policies. ### Patches * Istio 1.11.1 and above * Istio 1.10.4 and above * Istio 1.9.8 and above ### Workarounds A Lua filter may be written to normalize the path. This is similar to the Path normalization presented in the [Security Best Practices](https://istio.io/latest/docs/ops/best-practices/security/#case-normalization) guide. ### References More details can be found in the [Istio Security Bulletin](https://istio.io/latest/news/security/istio-security-2021-008) ### For more information If you have any questions or comments about this advisory, please email us at istio-security-vulnerability-reports@googlegroups.com

Metadata

Created: 2021-08-30T16:16:14Z
Modified: 2022-08-15T20:04:30Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-hqxw-mm44-gc4r/GHSA-hqxw-mm44-gc4r.json
CWE IDs: ["CWE-706", "CWE-863"]
Alternative ID: GHSA-hqxw-mm44-gc4r
Finding: F013
Auto approve: 1