CVE-2020-8843

Name of the Vulnerable Software and Affected Versions Istio versions 1.3 through 1.3.6

Description An issue allows bypassing a specifically configured Mixer policy under certain circumstances. The Istio-proxy accepts the x-istio-attributes header at ingress, which can affect policy decisions when Mixer policy selectively applies to a source equal to ingress. Exploitation requires encoding a source.uid in this header. This feature is disabled by default in Istio 1.3 and 1.4.

Recommendations For Istio versions 1.3 through 1.3.6, consider disabling the feature that accepts the x-istio-attributes header at ingress to prevent policy bypass until a patch is available.