CVE-2021-39156

Name of the Vulnerable Software and Affected Versions Istio versions 1.11.0, 1.10.3 and below, and 1.9.7 and below Istio versions prior to 1.11.1, 1.10.4, and 1.9.8

Description Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. A remotely exploitable issue exists where an HTTP request with #fragment in the path may bypass Istio’s URI path based authorization policies.

Recommendations For Istio versions 1.11.0 and below, update to version 1.11.1 or above. For Istio versions 1.10.3 and below, update to version 1.10.4 or above. For Istio versions 1.9.7 and below, update to version 1.9.8 or above. As a temporary workaround, consider writing a Lua filter to normalize the path.