Published: 29/06/2021 Updated: 12/07/2022

CVSS v2 Base Score: 6.5 | Impact Score: 6.4 | Exploitability Score: 8

CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8

VMScore: 578

Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P

Istio (1.8.x, 1.9.0-1.9.5 and 1.10.0-1.10.1) contains a remotely exploitable vulnerability where credentials specified in the Gateway and DestinationRule credentialName field can be accessed from different namespaces.

Vulnerable Product	Search on Vulmon	Subscribe to Product
istio istio

A flaw was found in istio Any client authorized to access Istio XDS API can retrieve any cached gateway TLS certificate and private keys The highest threat from this vulnerability is to data confidentiality ...

Istio before version 1102 contains a remotely exploitable vulnerability where credentials specified in the Gateway and DestinationRule credentialName field can be accessed from different namespaces The Istio Gateway and DestinationRule can load private keys and certificates from Kubernetes secrets via the credentialName configuration For Istio ...

reproducing an old istio bug

CVE-2021-34824 repro reproducing an old istio bug This set of scripts and manifests will aid in exploring an old Istio security issue which allowed malicious Istio users to access Kubernetes secrets they should not have access to This reproduction is modeled on this blog post which has some problems See this blog post for details Using See the vulnerability Run /one_time_s

NVD-CWE-noinfo https://istio.io/latest/news/security/istio-security-2021-007 https://github.com/istio/istio/releases https://nvd.nist.gov https://github.com/rsalmond/CVE-2021-34824 https://access.redhat.com/security/cve/cve-2021-34824

CVE-2021-34824

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Github Repositories

References

Vulmon Search

About

Products

Connect