CVE-2021-39156 Information

Description

Istio is an open source platform for providing a uniform way to integrate microservices manage traffic flow across microservices enforce policies and aggregate telemetry data. Istio 1.11.0 1.10.3 and below and 1.9.7 and below contain a remotely exploitable vulnerability where an HTTP request with fragment in the path may bypass Istio’s URI path based authorization policies. Patches are available in Istio 1.11.1 Istio 1.10.4 and Istio 1.9.8. As a work around a Lua filter may be written to normalize the path.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Reference

https://istio.io/latest/news/security/istio-security-2021-008 https://github.com/istio/istio/security/advisories/GHSA-hqxw-mm44-gc4r

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

7.5