Published: 24/08/2021 Updated: 21/02/2024

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 445

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

An authorization bypass vulnerability was found in istio/istio. The case insensitive host comparison incorrectly works when evaluating rules specified with `host` or `notHost`. This flaw allows an malicious user to bypass an Istio authorization policy that uses hosts in the rules, potentially gaining access to the downstream services. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

Vulnerable Product	Search on Vulmon	Subscribe to Product
istio istio

An authorization bypass vulnerability was found in istio/istio The case insensitive host comparison incorrectly works when evaluating rules specified with `host` or `notHost` This flaw allows an attacker to bypass an Istio authorization policy that uses hosts in the rules, potentially gaining access to the downstream services The highest threat ...

A security issue has been found in Istio before version 1111 According to RFC 4343, Istio authorization policy should compare the hostname in the HTTP Host header in a case insensitive way, but currently the comparison is case sensitive The proxy will route the request hostname in a case-insensitive way which means the authorization policy coul ...

CWE-178 CWE-863 https://datatracker.ietf.org/doc/html/rfc4343 https://github.com/istio/istio/security/advisories/GHSA-7774-7vr3-cc8j https://nvd.nist.gov https://access.redhat.com/security/cve/cve-2021-39155

CVE-2021-39155

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect