// For flags

CVE-2020-8843

 

Severity Score

7.4
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

An issue was discovered in Istio 1.3 through 1.3.6. Under certain circumstances, it is possible to bypass a specifically configured Mixer policy. Istio-proxy accepts the x-istio-attributes header at ingress that can be used to affect policy decisions when Mixer policy selectively applies to a source equal to ingress. To exploit this vulnerability, someone has to encode a source.uid in this header. This feature is disabled by default in Istio 1.3 and 1.4.

Se detectó un problema en Istio versiones 1.3 hasta 1.3.6. En determinadas circunstancias, es posible omitir una política Mixer configurada específicamente. Istio-proxy acepta el encabezado x-istio-attributes en la entrada que puede ser usado para afectar las decisiones de la política cuando la política Mixer se aplica selectivamente a una fuente igual a la entrada. Para explotar esta vulnerabilidad, alguien tiene que codificar un archivo source.uid en este encabezado. Esta funcionalidad está deshabilitada por defecto en Istio versiones 1.3 y 1.4.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2020-02-10 CVE Reserved
  • 2020-02-14 CVE Published
  • 2023-12-19 EPSS Updated
  • 2024-08-04 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-20: Improper Input Validation
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Istio
Search vendor "Istio"
 Istio
Search vendor "Istio" for product "Istio"
 >= 1.3.0 <= 1.3.6
Search vendor "Istio" for product "Istio" and version " >= 1.3.0 <= 1.3.6"
-
Affected