Sign In

CVE-2021-39156

ADVISORY - github

Summary

Impact

Istio 1.11.0, 1.10.3 and below, and 1.9.7 and below contain a remotely exploitable vulnerability where an HTTP request with #fragment in the path may bypass Istio’s URI path based authorization policies.

Patches

  • Istio 1.11.1 and above
  • Istio 1.10.4 and above
  • Istio 1.9.8 and above

Workarounds

A Lua filter may be written to normalize the path. This is similar to the Path normalization presented in the Security Best Practices guide.

References

More details can be found in the Istio Security Bulletin

For more information

If you have any questions or comments about this advisory, please email us at istio-security-vulnerability-reports@googlegroups.com

EPSS Score: 0.00236 (0.461)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-706

Use of Incorrectly-Resolved Name or Reference

CWE-863

Incorrect Authorization

ADVISORY - github

CWE-706

Use of Incorrectly-Resolved Name or Reference

CWE-863

Incorrect Authorization

ADVISORY - gitlab

CWE-1035

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

CWE-706

Use of Incorrectly-Resolved Name or Reference

CWE-863

Incorrect Authorization

CWE-937

OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

ADVISORY - redhat

CWE-863

Incorrect Authorization

Impacted images

Advisories

NIST

CREATED

UPDATED

ADVISORY IDCVE-2021-39156
EXPLOITABILITY SCORE

2.8

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-706CWE-863

CVSS SCORE

8.1high

GitHub

CREATED

UPDATED

ADVISORY IDGHSA-hqxw-mm44-gc4r
EXPLOITABILITY SCORE

2.8

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-706CWE-863

CVSS SCORE

8.1high

GitLab

CREATED

UPDATED

ADVISORY ID

CVE-2021-39156

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-1035CWE-706CWE-863CWE-937

CVSS SCORE

7.5high

Red Hat

CREATED

UPDATED

ADVISORY IDCVE-2021-39156
EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-863

CVSS SCORE

8.3high

Chainguard

CREATED

UPDATED

ADVISORY ID

CGA-2g55-f2pj-qp7j

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

UPDATED

ADVISORY ID

CGA-2wj5-vhh8-fgjm

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

UPDATED

ADVISORY ID

CGA-3qgm-pwqj-g8h2

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

UPDATED

ADVISORY ID

CGA-6vwp-43hr-5gcj

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

UPDATED

ADVISORY ID

CGA-7fpx-gx27-pggp

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

UPDATED

ADVISORY ID

CGA-cq3m-3vg2-6jxj

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

UPDATED

ADVISORY ID

CGA-hjp5-xxj3-65xx

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

UPDATED

ADVISORY ID

CGA-j3x2-jrvx-g3j4

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

UPDATED

ADVISORY ID

CGA-jw75-prhc-9gq3

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

UPDATED

ADVISORY ID

CGA-p9rh-qw8g-98pg

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

UPDATED

ADVISORY ID

CGA-q7pc-wj96-h86j

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

UPDATED

ADVISORY ID

CGA-r545-q28h-5x7f

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

UPDATED

ADVISORY ID

CGA-rqrw-4h3w-j2qw

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

UPDATED

ADVISORY ID

CGA-vw2f-g95m-3cpr

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

UPDATED

ADVISORY ID

CGA-wq9r-7f7w-h375

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

UPDATED

ADVISORY ID

CGA-x25g-gp3c-5phc

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

UPDATED

ADVISORY ID

CGA-x2f7-f8jw-6crf

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY