Lucene search
GoogleOSV:GHSA-82MM-FFJR-H86CHistoryFeb 15, 2022 - 1:57 a.m.
Authorization bypass in Istio
2022-02-1501:57:18
Google
osv.dev
9
istio
authorizationpolicy
deny
wildcard suffixes
source principals
namespace
bypass
intended policy
security issue
In Istio 1.5.0 though 1.5.8 and Istio 1.6.0 through 1.6.7, when users specify an AuthorizationPolicy resource with DENY actions using wildcard suffixes (e.g. *-some-suffix) for source principals or namespace fields, callers will never be denied access, bypassing the intended policy.
Specific Go Packages Affected
References
github.com/istio/istio/commit/4c73414556b83f0e75c1b3a0a89a23103a71573c
github.com/istio/istio/commit/72d2e135374f421b656d6f1a21f474db46134ace
github.com/istio/istio/releases
github.com/istio/istio/releases/tag/1.5.9
github.com/istio/istio/releases/tag/1.6.8
istio.io/latest/news/releases/1.5.x/announcing-1.5.9
istio.io/latest/news/releases/1.6.x/announcing-1.6.8
istio.io/latest/news/security/istio-security-2020-009
nvd.nist.gov/vuln/detail/CVE-2020-16844
Related
veracode
veracode
Insecure Access Control
2020-08-12 02:11:57
gitlab
gitlab
Authorization bypass in Istio
2022-02-15 00:00:00
Authorization bypass in Istio
2022-02-15 00:00:00
prion
prion
Code injection
2020-10-01 17:15:00
redhatcve
redhatcve
CVE-2020-16844
2020-08-11 19:43:53
github
github
Authorization bypass in Istio
2022-02-15 01:57:18
nvd
nvd
CVE-2020-16844
2020-10-01 17:15:13
nessus
nessus
RHEL 8 : Red Hat OpenShift Service Mesh 1.1 (RHSA-2020:3425)
2020-08-11 00:00:00
cvelist
cvelist
CVE-2020-16844
2020-10-01 16:32:38
osv
osv
CVE-2020-16844
2020-10-01 17:15:13
redhat
redhat
cve
cve
CVE-2020-16844
2020-10-01 17:15:13