CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-14306 – openshift-service-mesh/istio-rhel8-operator: control plane can deploy gateway image to any namespace
https://notcve.org/view.php?id=CVE-2020-14306
An incorrect access control flaw was found in the operator, openshift-service-mesh/istio-rhel8-operator all versions through 1.1.3. This flaw allows an attacker with a basic level of access to the cluster to deploy a custom gateway/pod to any namespace, potentially gaining access to privileged service account tokens. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. Se encontró un fallo de control de acceso incorrecto en el operador, openshift-service-mesh/istio-rhel8-operator todas las versiones hasta 1.1.3. Este fallo permite a un atacante con un nivel básico de acceso al clúster implementar un gateway/pod personalizado en cualquier espacio de nombres, consiguiendo potencialmente acceso a tokens de cuentas de servicio privilegiadas. • https://bugzilla.redhat.com/show_bug.cgi?id=1850380 https://github.com/maistra/istio-operator/pull/462 https://access.redhat.com/security/cve/CVE-2020-14306 • CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2020-10739 – istio/envoy: crafted packet allows remote attacker to cause denial of service
https://notcve.org/view.php?id=CVE-2020-10739
Istio 1.4.x before 1.4.9 and Istio 1.5.x before 1.5.4 contain the following vulnerability when telemetry v2 is enabled: by sending a specially crafted packet, an attacker could trigger a Null Pointer Exception resulting in a Denial of Service. This could be sent to the ingress gateway or a sidecar, triggering a null pointer exception which results in a denial of service. This also affects servicemesh-proxy where a null pointer exception flaw was found in servicemesh-proxy. When running Telemetry v2 (not on by default in version 1.4.x), an attacker could send a specially crafted packet to the ingress gateway or proxy sidecar, triggering a denial of service. Istio versiones 1.4.x anteriores a 1.4.9 e Istio versiones 1.5.x anteriores a 1.5.4, contienen la siguiente vulnerabilidad cuando se habilita la telemetry v2: al enviar un paquete especialmente diseñado, un atacante podría desencadenar una Excepción de Puntero Null resultando en una Denegación de Servicio. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10739 https://github.com/istio/envoy/commit/8788a3cf255b647fd14e6b5e2585abaaedb28153#diff-fcf2cf5dd389b5285f882ba4a8708633 https://istio.io/news/security/istio-security-2020-005 https://access.redhat.com/security/cve/CVE-2020-10739 https://bugzilla.redhat.com/show_bug.cgi?id=1833184 • CWE-476: NULL Pointer Dereference •
CVSS: 3.1EPSS: 0%CPEs: 2EXPL: 1CVE-2020-11767
https://notcve.org/view.php?id=CVE-2020-11767
Istio through 1.5.1 and Envoy through 1.14.1 have a data-leak issue. If there is a TCP connection (negotiated with SNI over HTTPS) to *.example.com, a request for a domain concurrently configured explicitly (e.g., abc.example.com) is sent to the server(s) listening behind *.example.com. The outcome should instead be 421 Misdirected Request. Imagine a shared caching forward proxy re-using an HTTP/2 connection for a large subnet with many users. If a victim is interacting with abc.example.com, and a server (for abc.example.com) recycles the TCP connection to the forward proxy, the victim's browser may suddenly start sending sensitive data to a *.example.com server. • https://bugs.chromium.org/p/chromium/issues/detail?id=954160#c5 https://github.com/envoyproxy/envoy/issues/6767 https://github.com/istio/istio/issues/13589 https://github.com/istio/istio/issues/9429 •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-8843
https://notcve.org/view.php?id=CVE-2020-8843
An issue was discovered in Istio 1.3 through 1.3.6. Under certain circumstances, it is possible to bypass a specifically configured Mixer policy. Istio-proxy accepts the x-istio-attributes header at ingress that can be used to affect policy decisions when Mixer policy selectively applies to a source equal to ingress. To exploit this vulnerability, someone has to encode a source.uid in this header. This feature is disabled by default in Istio 1.3 and 1.4. • https://github.com/istio/istio/commits/master https://istio.io/news/security https://istio.io/news/security/istio-security-2020-002 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2020-8595 – istio: unauthorised access to JWT protected HTTP path
https://notcve.org/view.php?id=CVE-2020-8595
Istio versions 1.2.10 (End of Life) and prior, 1.3 through 1.3.7, and 1.4 through 1.4.3 allows authentication bypass. The Authentication Policy exact-path matching logic can allow unauthorized access to HTTP paths even if they are configured to be only accessed after presenting a valid JWT token. For example, an attacker can add a ? or # character to a URI that would otherwise satisfy an exact-path match. Las versiones Istio 1.2.10 (End of Life) y anteriores, 1.3 a 1.3.7, y 1.4 a 1.4.3 permiten la omisión de autenticación. • https://access.redhat.com/errata/RHSA-2020:0477 https://access.redhat.com/security/cve/cve-2020-8595 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-8595 https://github.com/istio/istio/commits/master https://istio.io/news/security https://istio.io/news/security/istio-security-2020-001 https://access.redhat.com/security/cve/CVE-2020-8595 https://bugzilla.redhat.com/show_bug.cgi?id=1798247 • CWE-285: Improper Authorization CWE-287: Improper Authentication •