CVE-2020-8843: Improper Input Validation

February 14, 2020 (updated February 19, 2020)

Under certain circumstances, it is possible to bypass a specifically configured Mixer policy. Istio-proxy accepts the x-istio-attributes header at ingress that can be used to affect policy decisions when Mixer policy selectively applies to a source equal to ingress. To exploit this vulnerability, someone has to encode a source.uid in this header.

References

istio.io/news/security/
istio.io/news/security/istio-security-2020-002/
nvd.nist.gov/vuln/detail/CVE-2020-8843

Detect and mitigate CVE-2020-8843 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →