CVE-2022-39388

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-39388

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-39388.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-39388

Aliases

GHSA-6c6p-h79f-g6p4

Published

2022-11-10T00:00:00Z

Modified

2025-10-14T19:15:22.036914Z

Severity

7.6 (High) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N CVSS Calculator

Summary

Istio may allow identity impersonation if user has localhost access

Details

Istio is an open platform to connect, manage, and secure microservices. In versions on the 1.15.x branch prior to 1.15.3, a user can impersonate any workload identity within the service mesh if they have localhost access to the Istiod control plane. Version 1.15.3 contains a patch for this issue. There are no known workarounds.

References

Affected packages

Git / github.com/istio/istio

Affected ranges

Type: GIT
Repo: https://github.com/istio/istio
Events: Introduced

895f3c2ce0be14370fa1d379eadbd69486471852

Fixed

bc21f4628d31fe5380569db6fa0e73517d956a0d

Affected versions

1.*

1.15.0

1.15.0-beta.0

1.15.0-beta.1

1.15.0-rc.0

1.15.1

1.15.2