PT-2026-24489 · Istio · Istio
Hawton
·
Publicado
2026-03-10
·
Atualizado
2026-04-01
·
CVE-2026-31838
CVSS v4.0
6.9
Média
| Vetor | AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Istio versions prior to 1.29.1
Istio versions prior to 1.28.5
Istio versions prior to 1.27.8
Description
Istio is a platform designed for connecting, managing, and securing microservices. A flaw in Envoy RBAC header matching could permit bypassing authorization policies when those policies depend on HTTP headers that can have multiple values. An attacker could create requests with multiple header values, causing Envoy to evaluate the header in an unintended manner, potentially circumventing authorization checks. This could allow unauthorized requests to access protected services when policies rely on header-based matching. The issue involves how Envoy processes headers with multiple values during authorization checks.
Recommendations
Update to Istio version 1.29.1 or later.
Update to Istio version 1.28.5 or later.
Update to Istio version 1.27.8 or later.
Exploit
Correção
Incorrect Authorization
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Istio