CVE-2021-31921

Istio before 1.8.6 and 1.9.x before 1.9.5 contains a remotely exploitable vulnerability where an external client can access unexpected services in the cluster, bypassing authorization checks, when a gateway is configured with AUTO_PASSTHROUGH routing configuration.

References

https://istio.io/latest/news/security/istio-security-2021-006/

Affected packages

Git / github.com/istio/istio

Affected ranges

Type

GIT

Repo

https://github.com/istio/istio

Events

Introduced

Fixed

1aa9fc7a594d6ffc88ff8fd6cd416d8bafe4b214

Introduced

b63e1966c245924b10a0915a671a656540ed7a45

Fixed

67362755b7ca63ff1442d627a733627ed5c75df4

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.8.6"
        },
        {
            "introduced": "1.9.0"
        },
        {
            "fixed": "1.9.5"
        }
    ]
}

Affected versions

0.*

0.3.0

0.5.0

0.6.0

1.*

1.0.0-snapshot.0

1.1.0-snapshot.2

1.1.0.snapshot.0

1.1.0.snapshot.1

1.2.0-rc.0

1.2.0-rc.3

1.5.0-alpha.0

1.5.0-beta.1

1.5.0-beta.2

1.6.0-alpha.0

1.6.0-alpha.1

1.6.0-alpha.2

1.7.0-alpha.0

1.8.0

1.8.0-alpha.0

1.8.0-alpha.2

1.8.0-rc.0

1.8.0-rc.1

1.8.1

1.8.2

1.8.3

1.8.4

1.9.0

1.9.1

1.9.2

1.9.4

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-31921.json"