GHSA-hqxw-mm44-gc4r
Suggest an improvement- Source
- https://github.com/advisories/GHSA-hqxw-mm44-gc4r
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-hqxw-mm44-gc4r/GHSA-hqxw-mm44-gc4r.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-hqxw-mm44-gc4r
- Aliases
- Related
- Published
- 2021-08-30T16:16:14Z
- Modified
- 2024-07-15T22:12:26.160086Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- Istio Fragments in Path May Lead to Authorization Policy Bypass
- Details
-
Impact
Istio 1.11.0, 1.10.3 and below, and 1.9.7 and below contain a remotely exploitable vulnerability where an HTTP request with
#fragmentin the path may bypass Istio’s URI path based authorization policies.Patches
- Istio 1.11.1 and above
- Istio 1.10.4 and above
- Istio 1.9.8 and above
Workarounds
A Lua filter may be written to normalize the path. This is similar to the Path normalization presented in the Security Best Practices guide.
References
More details can be found in the Istio Security Bulletin
For more information
If you have any questions or comments about this advisory, please email us at istio-security-vulnerability-reports@googlegroups.com
- Database specific
{ "nvd_published_at": "2021-08-24T23:15:00Z", "github_reviewed_at": "2021-08-25T22:28:17Z", "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-706", "CWE-863" ] }- References
Affected packages
Go / istio.io/istio
Package
- Name
- istio.io/istio
- View open source insights on deps.dev
- Purl
- pkg:golang/istio.io/istio
Go / istio.io/istio
Package
- Name
- istio.io/istio
- View open source insights on deps.dev
- Purl
- pkg:golang/istio.io/istio
Go / istio.io/istio
Package
- Name
- istio.io/istio
- View open source insights on deps.dev
- Purl
- pkg:golang/istio.io/istio