Lucene search

Redhat.comRH:CVE-2021-39155

HistoryAug 24, 2021 - 10:15 p.m.

CVE-2021-39155

2021-08-2422:15:06

redhat.com

access.redhat.com

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.001 Low

EPSS

Percentile

46.8%

JSON

An authorization bypass vulnerability was found in istio/istio. The case insensitive host comparison incorrectly works when evaluating rules specified with host or notHost. This flaw allows an attacker to bypass an Istio authorization policy that uses hosts in the rules, potentially gaining access to the downstream services. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

References

bugzilla.redhat.com/show_bug.cgi?id=1996929

istio.io/latest/news/security/istio-security-2021-008/

nvd.nist.gov/vuln/detail/CVE-2021-39155

www.cve.org/CVERecord?id=CVE-2021-39155

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.001 Low

EPSS

Percentile

46.8%

JSON

Related for RH:CVE-2021-39155