CVSS: 8.3EPSS: 0%CPEs: 3EXPL: 0CVE-2021-39156 – Fragments in Path May Lead to Authorization Policy Bypass
https://notcve.org/view.php?id=CVE-2021-39156
Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. Istio 1.11.0, 1.10.3 and below, and 1.9.7 and below contain a remotely exploitable vulnerability where an HTTP request with `#fragment` in the path may bypass Istio’s URI path based authorization policies. Patches are available in Istio 1.11.1, Istio 1.10.4 and Istio 1.9.8. As a work around a Lua filter may be written to normalize the path. Istio es una plataforma de código abierto que proporciona una forma uniforme de integrar microservicios, administrar el flujo de tráfico entre microservicios, aplicar políticas y agregar datos de telemetría. • https://github.com/istio/istio/security/advisories/GHSA-hqxw-mm44-gc4r https://istio.io/latest/news/security/istio-security-2021-008 https://access.redhat.com/security/cve/CVE-2021-39156 https://bugzilla.redhat.com/show_bug.cgi?id=1996915 • CWE-706: Use of Incorrectly-Resolved Name or Reference CWE-863: Incorrect Authorization •
CVSS: 8.3EPSS: 0%CPEs: 3EXPL: 0CVE-2021-39155 – Authorization Policy Bypass Due to Case Insensitive Host Comparison
https://notcve.org/view.php?id=CVE-2021-39155
Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. According to [RFC 4343](https://datatracker.ietf.org/doc/html/rfc4343), Istio authorization policy should compare the hostname in the HTTP Host header in a case insensitive way, but currently the comparison is case sensitive. The proxy will route the request hostname in a case-insensitive way which means the authorization policy could be bypassed. As an example, the user may have an authorization policy that rejects request with hostname "httpbin.foo" for some source IPs, but the attacker can bypass this by sending the request with hostname "Httpbin.Foo". Patches are available in Istio 1.11.1, Istio 1.10.4 and Istio 1.9.8. • https://datatracker.ietf.org/doc/html/rfc4343 https://github.com/istio/istio/security/advisories/GHSA-7774-7vr3-cc8j https://access.redhat.com/security/cve/CVE-2021-39155 https://bugzilla.redhat.com/show_bug.cgi?id=1996929 • CWE-178: Improper Handling of Case Sensitivity CWE-863: Incorrect Authorization •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 1CVE-2021-31921 – istio/istio: authorization bypass when using AUTO_PASSTHROUGH
https://notcve.org/view.php?id=CVE-2021-31921
Istio before 1.8.6 and 1.9.x before 1.9.5 contains a remotely exploitable vulnerability where an external client can access unexpected services in the cluster, bypassing authorization checks, when a gateway is configured with AUTO_PASSTHROUGH routing configuration. Istio antes de la versión 1.8.6 y 1.9.x antes de la versión 1.9.5 contiene una vulnerabilidad explotable de forma remota por la que un cliente externo puede acceder a servicios inesperados en el clúster, saltándose las comprobaciones de autorización, cuando una puerta de enlace está configurada con la configuración de enrutamiento AUTO_PASSTHROUGH An authorization bypass vulnerability was found in istio. When the istio gateway is configured with TLS mode `AUTO_PASSTHROUGH`, it is possible for a malicious user to bypass the authorization checks and gain access to protected services. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. • https://istio.io/latest/news/security/istio-security-2021-006 https://access.redhat.com/security/cve/CVE-2021-31921 https://bugzilla.redhat.com/show_bug.cgi?id=1955396 • CWE-862: Missing Authorization CWE-863: Incorrect Authorization •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 1CVE-2021-31920 – istio/istio: HTTP request with escaped slash characters can bypass authorization mechanisms
https://notcve.org/view.php?id=CVE-2021-31920
Istio before 1.8.6 and 1.9.x before 1.9.5 has a remotely exploitable vulnerability where an HTTP request path with multiple slashes or escaped slash characters (%2F or %5C) could potentially bypass an Istio authorization policy when path based authorization rules are used. Istio versiones anteriores a 1.8.6 y versiones 1.9.x anteriores a 1.9.5 presenta una vulnerabilidad explotable de forma remota en la que una ruta de petición HTTP con múltiples barras o caracteres de barra de escape (%2F o %5C) podría omitir potencialmente una política de autorización de Istio cuando las reglas de autorización basadas en la ruta son usadas An authorization bypass flaw was found in Istio. This flaw allows an attacker to craft an HTTP request that defines a certain pattern of escaped characters in the URI path (such as %2F, %2f, %5C, or %5c), allowing them to bypass the authorization service. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. • https://istio.io/latest/news/security/istio-security-2021-005 https://access.redhat.com/security/cve/CVE-2021-31920 https://bugzilla.redhat.com/show_bug.cgi?id=1959481 • CWE-706: Use of Incorrectly-Resolved Name or Reference CWE-863: Incorrect Authorization •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2019-25014 – istio-pilot: requests to debug api can result in panic
https://notcve.org/view.php?id=CVE-2019-25014
A NULL pointer dereference was found in pkg/proxy/envoy/v2/debug.go getResourceVersion in Istio pilot before 1.5.0-alpha.0. If a particular HTTP GET request is made to the pilot API endpoint, it is possible to cause the Go runtime to panic (resulting in a denial of service to the istio-pilot application). Se encontró una desreferencia del puntero NULL en el archivo pkg/proxy/envoy/v2/debug.go en la función getResourceVersion en Istio pilot versiones anteriores a 1.5.0-alpha.0. Si es realizado una petición HTTP GET en particular al endpoint de la API pilot, es posible que el tiempo de ejecución de Go entre en pánico (resultando en una denegación de servicio para la aplicación istio-pilot) An out-of-bounds read flaw was found in istio-pilot. This flaw allows an attacker to send a crafted HTTP GET request to the pilot debug API endpoint. • https://bugzilla.redhat.com/show_bug.cgi?id=1919066 https://github.com/istio/istio/compare/1.4.2...1.5.0-alpha.0 https://access.redhat.com/security/cve/CVE-2019-25014 • CWE-125: Out-of-bounds Read CWE-476: NULL Pointer Dereference •