CVE-2021-31921
istio/istio: authorization bypass when using AUTO_PASSTHROUGH
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
Istio before 1.8.6 and 1.9.x before 1.9.5 contains a remotely exploitable vulnerability where an external client can access unexpected services in the cluster, bypassing authorization checks, when a gateway is configured with AUTO_PASSTHROUGH routing configuration.
Istio antes de la versión 1.8.6 y 1.9.x antes de la versión 1.9.5 contiene una vulnerabilidad explotable de forma remota por la que un cliente externo puede acceder a servicios inesperados en el clúster, saltándose las comprobaciones de autorización, cuando una puerta de enlace está configurada con la configuración de enrutamiento AUTO_PASSTHROUGH
An authorization bypass vulnerability was found in istio. When the istio gateway is configured with TLS mode `AUTO_PASSTHROUGH`, it is possible for a malicious user to bypass the authorization checks and gain access to protected services. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-04-30 CVE Reserved
- 2021-05-20 CVE Published
- 2024-08-03 CVE Updated
- 2024-08-03 First Exploit
- 2024-10-05 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-862: Missing Authorization
- CWE-863: Incorrect Authorization
CAPEC
References (3)
URL | Tag | Source |
---|
URL | Date | SRC |
---|---|---|
https://istio.io/latest/news/security/istio-security-2021-006 | 2024-08-03 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://access.redhat.com/security/cve/CVE-2021-31921 | 2021-05-20 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1955396 | 2021-05-20 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Istio Search vendor "Istio" | Istio Search vendor "Istio" for product "Istio" | < 1.8.6 Search vendor "Istio" for product "Istio" and version " < 1.8.6" | - |
Affected
| ||||||
Istio Search vendor "Istio" | Istio Search vendor "Istio" for product "Istio" | >= 1.9.0 < 1.9.5 Search vendor "Istio" for product "Istio" and version " >= 1.9.0 < 1.9.5" | - |
Affected
|