Istio
CVE-2021-31920
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
Istio before 1.8.6 and 1.9.x before 1.9.5 has a remotely exploitable vulnerability where an HTTP request path with multiple slashes or escaped slash characters (%2F or %5C) could potentially bypass an Istio authorization policy when path based authorization rules are used.
AnalysisAI
Istio before 1.8.6 and 1.9.x before 1.9.5 has a remotely exploitable vulnerability where an HTTP request path with multiple slashes or escaped slash characters (%2F or %5C) could potentially bypass. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-706. Istio before 1.8.6 and 1.9.x before 1.9.5 has a remotely exploitable vulnerability where an HTTP request path with multiple slashes or escaped slash characters (%2F or %5C) could potentially bypass an Istio authorization policy when path based authorization rules are used. Affected products include: Istio. Version information: before 1.8.6.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Istio before 1.8.6 and 1.9.x before 1.9.5 contains a remotely exploitable vulnerability where an external client can acc
Istio 1.3.x before 1.3.5 allows Denial of Service because continue_on_listener_filters_timeout is set to True, a related
Envoy 1.12.0 allows a remote denial of service because of resource loops, as demonstrated by a single idle TCP connectio
Istio before 1.1.13 and 1.2.x before 1.2.4 mishandles regular expressions for long URIs, leading to a denial of service
Istio 1.1.x through 1.1.6 has Incorrect Access Control. Rated high severity (CVSS 7.5), this vulnerability is no authent
In Istio 1.5.0 though 1.5.8 and Istio 1.6.0 through 1.6.7, when users specify an AuthorizationPolicy resource with DENY
Istio is an open platform to connect, manage, and secure microservices. Rated critical severity (CVSS 9.8), this vulnera
Istio (1.8.x, 1.9.0-1.9.5 and 1.10.0-1.10.1) contains a remotely exploitable vulnerability where credentials specified i
Authentication enforcement in Istio service mesh fails open: prior to 1.29.1, 1.28.5, and 1.27.8, when the JWKS resolver
Istio is an open platform-independent service mesh that provides traffic management, policy enforcement, and telemetry c
Istio is an open platform to connect, manage, and secure microservices. Rated high severity (CVSS 7.5), this vulnerabili
Istio is an open platform to connect, manage, and secure microservices. Rated high severity (CVSS 7.5), this vulnerabili
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today