Lucene search

GitHub_MCVE-2022-39388

HistoryNov 10, 2022 - 8:15 p.m.

CVE-2022-39388

2022-11-1020:15:10

CWE-863

GitHub_M

web.nvd.nist.gov

istio

cve-2022-39388

microservices

security

vulnerability

patch

CVSS3

7.6

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

AI Score

3.9

Confidence

High

EPSS

Percentile

15.5%

JSON

Istio is an open platform to connect, manage, and secure microservices. In versions on the 1.15.x branch prior to 1.15.3, a user can impersonate any workload identity within the service mesh if they have localhost access to the Istiod control plane. Version 1.15.3 contains a patch for this issue. There are no known workarounds.

Affected configurations

Nvd

Vulners

Node

istioistioRange1.15.0–1.15.2

VendorProductVersionCPE
istioistio*cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
istio	istio	*	cpe:2.3:a:istio:istio::::::::

CNA Affected

[
  {
    "vendor": "istio",
    "product": "istio",
    "versions": [
      {
        "version": ">= 1.15.0-beta.0, < 1.15.3",
        "status": "affected"
      }
    ]
  }
]

References

github.com/istio/istio/commit/346260e5115e9fbc65ba8a559bc686e6ca046a32

github.com/istio/istio/commit/9a643e270421560afb2630e00f76d46a55499df9

github.com/istio/istio/security/advisories/GHSA-6c6p-h79f-g6p4

istio.io/latest/news/releases/1.15.x/announcing-1.15.3/

Social References

CVSS3

7.6

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

AI Score

3.9

Confidence

High

EPSS

Percentile

15.5%

JSON

Related for CVE-2022-39388