PT-2021-19595 · Istio · Istio

Ruilin

Published

2021-05-27

Updated

2022-07-12

CVE-2021-31920

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions: Istio versions 1.8.0 through 1.8.6 Istio versions 1.9.0 through 1.9.5

Description: The issue allows an HTTP request path with multiple slashes or escaped slash characters (%2F or %5C) to potentially bypass an authorization policy when path-based authorization rules are used. This could lead to unauthorized access.

Recommendations: For Istio versions 1.8.0 through 1.8.5, update to version 1.8.6. For Istio versions 1.9.0 through 1.9.4, update to version 1.9.5.

Exploit

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-706CWE-863

Related Identifiers

CVE-2021-31920

GHSA-6Q5M-22MQ-Q2XV

RHSA-2021:1538

RHSA-2021:1540

Affected Products

Istio

PT-2021-19595 · Istio · Istio

CVE-2021-31920

Weakness Enumeration

Related Identifiers

Affected Products

References · 10