CVE-2021-39156

Incorrect Authorization in go/github.com/istio/istio

Identifier

CVE-2021-39156

Package Slug

go/github.com/istio/istio

Vulnerability

Incorrect Authorization

Description

Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. Istio contains a remotely exploitable vulnerability where an HTTP request with #fragment in the path may bypass Istio's URI path based authorization policies. As a work around a Lua filter may be written to normalize the path.

Affected Versions

All versions before 1.9.8, all versions starting from 1.10.0 before 1.10.3, all versions starting from 1.11.0 before 1.11.1

Solution

Upgrade to version 1.9.8, 1.10.3, 1.11.1 or above.

Last Modified

2021-09-02

source