CVE-2021-31920

Istio before 1.8.6 and 1.9.x before 1.9.5 has a remotely exploitable vulnerability where an HTTP request path with multiple slashes or escaped slash characters (%2F or %5C) could potentially bypass an Istio authorization policy when path based authorization rules are used.
References
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*
cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*

History

12 Jul 2022, 17:42

Type Values Removed Values Added
CWE CWE-863 CWE-706

07 Jun 2021, 18:56

Type Values Removed Values Added
References (CONFIRM) https://istio.io/latest/news/security/istio-security-2021-005/ - (CONFIRM) https://istio.io/latest/news/security/istio-security-2021-005/ - Exploit, Vendor Advisory
CPE cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*
CWE CWE-863
CVSS v2 : unknown
v3 : unknown
v2 : 4.0
v3 : 6.5

27 May 2021, 05:15

Type Values Removed Values Added
New CVE

Information

Published : 2021-05-27 05:15

Updated : 2024-02-04 21:47


NVD link : CVE-2021-31920

Mitre link : CVE-2021-31920

CVE.ORG link : CVE-2021-31920


JSON object : View

Products Affected

istio

  • istio
CWE
CWE-706

Use of Incorrectly-Resolved Name or Reference