CVE-2021-31921

Istio before 1.8.6 and 1.9.x before 1.9.5 contains a remotely exploitable vulnerability where an external client can access unexpected services in the cluster, bypassing authorization checks, when a gateway is configured with AUTO_PASSTHROUGH routing configuration.
References
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*
cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*

History

01 May 2022, 01:54

Type Values Removed Values Added
CVSS v2 : 7.5
v3 : 9.8
v2 : 6.8
v3 : 9.8

30 Jul 2021, 14:15

Type Values Removed Values Added
Summary Istio before 1.8.6 and 1.9.x before 1.9.5, when a gateway is using the AUTO_PASSTHROUGH routing configuration, allows attackers to bypass authorization checks and access unexpected services in the cluster. Istio before 1.8.6 and 1.9.x before 1.9.5 contains a remotely exploitable vulnerability where an external client can access unexpected services in the cluster, bypassing authorization checks, when a gateway is configured with AUTO_PASSTHROUGH routing configuration.

15 Jun 2021, 12:31

Type Values Removed Values Added
CPE cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*
References (MISC) https://istio.io/latest/news/security/istio-security-2021-006/ - (MISC) https://istio.io/latest/news/security/istio-security-2021-006/ - Exploit, Vendor Advisory
CWE CWE-862
CVSS v2 : unknown
v3 : unknown
v2 : 7.5
v3 : 9.8

02 Jun 2021, 16:28

Type Values Removed Values Added
New CVE

Information

Published : 2021-06-02 16:15

Updated : 2024-02-04 21:47


NVD link : CVE-2021-31921

Mitre link : CVE-2021-31921

CVE.ORG link : CVE-2021-31921


JSON object : View

Products Affected

istio

  • istio
CWE
CWE-862

Missing Authorization