GitHub_MCVELIST:CVE-2021-39156CVE-2021-39156 Fragments in Path May Lead to Authorization Policy Bypass
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
8.3 High
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
53.6%
Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. Istio 1.11.0, 1.10.3 and below, and 1.9.7 and below contain a remotely exploitable vulnerability where an HTTP request with #fragment in the path may bypass Istioβs URI path based authorization policies. Patches are available in Istio 1.11.1, Istio 1.10.4 and Istio 1.9.8. As a work around a Lua filter may be written to normalize the path.
CNA Affected
[
{
"product": "istio",
"vendor": "istio",
"versions": [
{
"status": "affected",
"version": "< 1.9.8"
},
{
"status": "affected",
"version": ">= 1.10.0, < 1.10.4"
},
{
"status": "affected",
"version": ">= 1.11.0, < 1.11.1"
}
]
}
]Related
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
8.3 High
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
53.6%