Lucene search
Redhat.comRH:CVE-2020-16844HistoryAug 11, 2020 - 7:43 p.m.
CVE-2020-16844
2020-08-1119:43:53
redhat.com
access.redhat.com
11
EPSS
0.001
Percentile
34.4%
An insecure access control vulnerability was found in Istio. If an authorization policy is created for a TCP service that includes a DENY rule with a prefix wildcard, Istio translates this into an Envoy string match, incorrectly removing the wildcard. This flaw allows an attacker to subvert particular DENY rules, potentially gaining access to restricted resources.
Mitigation
In regards to an AuthorizationPolicy for a TCP service, if using a DENY rule in the source principal (or namespace field) such as:
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
…
spec:
action: DENY
rules:
- from:
- source:
principals:
- */ns/servicemesh
Consider using an exact or suffix match instead such as:
- /foo/bar/ns/servicemesh
Related
veracode
veracode
Insecure Access Control
2020-08-12 02:11:57
gitlab
gitlab
Authorization bypass in Istio
2022-02-15 00:00:00
Authorization bypass in Istio
2022-02-15 00:00:00
prion
prion
Code injection
2020-10-01 17:15:00
nvd
nvd
CVE-2020-16844
2020-10-01 17:15:13
nessus
nessus
RHEL 8 : Red Hat OpenShift Service Mesh 1.1 (RHSA-2020:3425)
2020-08-11 00:00:00
cvelist
cvelist
CVE-2020-16844
2020-10-01 16:32:38
osv
osv
CVE-2020-16844
2020-10-01 17:15:13
Authorization bypass in Istio
2022-02-15 01:57:18
redhat
redhat
cve
cve
CVE-2020-16844
2020-10-01 17:15:13
github
github
Authorization bypass in Istio
2022-02-15 01:57:18