GHSA-6c6p-h79f-g6p4

Suggest an improvement
Source
https://github.com/advisories/GHSA-6c6p-h79f-g6p4
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-6c6p-h79f-g6p4/GHSA-6c6p-h79f-g6p4.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-6c6p-h79f-g6p4
Aliases
Published
2022-11-09T22:07:01Z
Modified
2023-11-08T04:10:20.714703Z
Severity
  • 7.6 (High) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N CVSS Calculator
Summary
Istio may allow identity impersonation if user has localhost access
Details

Impact

User can impersonate any workload identity within the service mesh if they have localhost access to the Istiod control plane.

Patches

1.15.3

Workarounds

No. If using 1.15.2 please upgrade to 1.15.3 or later.

References

None at this time.

For more information

If you have any questions or comments about this advisory, please email us at istio-security-vulnerability-reports@googlegroups.com

References

Affected packages

Go / github.com/istio/istio

Package

Name
github.com/istio/istio
View open source insights on deps.dev
Purl
pkg:golang/github.com/istio/istio

Affected ranges

Type
SEMVER
Events
Introduced
1.15.0-beta.0
Fixed
1.15.3