Lucene search

GoogleOSV:CVE-2022-39388

HistoryNov 10, 2022 - 8:15 p.m.

CVE-2022-39388

2022-11-1020:15:10

Google

osv.dev

istio

microservices

security

CVSS3

7.6

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

AI Score

Confidence

High

EPSS

Percentile

15.5%

JSON

Istio is an open platform to connect, manage, and secure microservices. In versions on the 1.15.x branch prior to 1.15.3, a user can impersonate any workload identity within the service mesh if they have localhost access to the Istiod control plane. Version 1.15.3 contains a patch for this issue. There are no known workarounds.

References

github.com/istio/istio/commit/346260e5115e9fbc65ba8a559bc686e6ca046a32

github.com/istio/istio/commit/9a643e270421560afb2630e00f76d46a55499df9

github.com/istio/istio/security/advisories/GHSA-6c6p-h79f-g6p4

istio.io/latest/news/releases/1.15.x/announcing-1.15.3/

CVSS3

7.6

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

AI Score

Confidence

High

EPSS

Percentile

15.5%

JSON

Related for OSV:CVE-2022-39388