Lucene search

GitHub Advisory DatabaseGHSA-6C6P-H79F-G6P4

HistoryNov 09, 2022 - 10:07 p.m.

Istio may allow identity impersonation if user has localhost access

2022-11-0922:07:01

CWE-863

GitHub Advisory Database

github.com

istio

localhost access

identity impersonation

service mesh

istiod

control plane

patch 1.15.3

CVSS3

7.6

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

EPSS

Percentile

15.5%

JSON

Impact

User can impersonate any workload identity within the service mesh if they have localhost access to the Istiod control plane.

Patches

1.15.3

Workarounds

No. If using 1.15.2 please upgrade to 1.15.3 or later.

References

None at this time.

For more information

If you have any questions or comments about this advisory, please email us at [email protected]

Affected configurations

Vulners

Node

istioistioRange1.15.0-beta.0–1.15.3

VendorProductVersionCPE
istioistio*cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
istio	istio	*	cpe:2.3:a:istio:istio::::::::

References

github.com/advisories/GHSA-6c6p-h79f-g6p4

github.com/istio/istio/commit/346260e5115e9fbc65ba8a559bc686e6ca046a32

github.com/istio/istio/commit/9a643e270421560afb2630e00f76d46a55499df9

github.com/istio/istio/security/advisories/GHSA-6c6p-h79f-g6p4

istio.io/latest/news/releases/1.15.x/announcing-1.15.3/

nvd.nist.gov/vuln/detail/CVE-2022-39388

CVSS3

7.6

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

EPSS

Percentile

15.5%

JSON

Related for GHSA-6C6P-H79F-G6P4