{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "In Istio 1.5.0 though 1.5.8 and Istio 1.6.0 through 1.6.7, when users specify an AuthorizationPolicy resource with DENY actions using wildcard suffixes (e.g. *-some-suffix) for source principals or namespace fields, callers will never be denied access, bypassing the intended policy."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-10-01T16:32:38", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/istio/istio/releases"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://istio.io/latest/news/security/istio-security-2020-009/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-16844", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Istio 1.5.0 though 1.5.8 and Istio 1.6.0 through 1.6.7, when users specify an AuthorizationPolicy resource with DENY actions using wildcard suffixes (e.g. *-some-suffix) for source principals or namespace fields, callers will never be denied access, bypassing the intended policy."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/istio/istio/releases", "refsource": "MISC", "url": "https://github.com/istio/istio/releases"}, {"name": "https://istio.io/latest/news/security/istio-security-2020-009/", "refsource": "CONFIRM", "url": "https://istio.io/latest/news/security/istio-security-2020-009/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T13:45:34.406Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/istio/istio/releases"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://istio.io/latest/news/security/istio-security-2020-009/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-16844", "datePublished": "2020-10-01T16:32:38", "dateReserved": "2020-08-04T00:00:00", "dateUpdated": "2024-08-04T13:45:34.406Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*", "matchCriteriaId": "F442FD61-0BF6-40CF-A61F-17169F7164BB", "versionEndIncluding": "1.5.8", "versionStartIncluding": "1.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*", "matchCriteriaId": "77283330-B057-436E-9F15-59933DFE38E2", "versionEndIncluding": "1.6.7", "versionStartIncluding": "1.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Istio 1.5.0 though 1.5.8 and Istio 1.6.0 through 1.6.7, when users specify an AuthorizationPolicy resource with DENY actions using wildcard suffixes (e.g. *-some-suffix) for source principals or namespace fields, callers will never be denied access, bypassing the intended policy."}, {"lang": "es", "value": "En Istio versiones 1.5.0 hasta 1.5.8 e Istio versiones 1.6.0 hasta 1.6.7, cuando los usuarios especifican un recurso AuthorizationPolicy con acciones DENY usando sufijos de comod\u00edn (por ejemplo, *-some-suffix) para los campos source principals o namespace, a los que llaman nunca se le denegar\u00e1 el acceso, omitiendo la pol\u00edtica prevista"}], "id": "CVE-2020-16844", "lastModified": "2020-10-15T17:31:28.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.9, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-10-01T17:15:13.150", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://github.com/istio/istio/releases"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://istio.io/latest/news/security/istio-security-2020-009/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank the Envoy Security Team for reporting this issue.", "affected_release": [{"advisory": "RHSA-2020:3425", "cpe": "cpe:/a:redhat:service_mesh:1.1::el8", "package": "servicemesh-0:1.1.7-1.el8", "product_name": "OpenShift Service Mesh 1.1", "release_date": "2020-08-11T00:00:00Z"}], "bugzilla": {"description": "istio: incorrect translation of DENY policy for TCP service", "id": "1861625", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1861625"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "status": "verified"}, "cwe": "CWE-284", "details": ["In Istio 1.5.0 though 1.5.8 and Istio 1.6.0 through 1.6.7, when users specify an AuthorizationPolicy resource with DENY actions using wildcard suffixes (e.g. *-some-suffix) for source principals or namespace fields, callers will never be denied access, bypassing the intended policy.", "An insecure access control vulnerability was found in Istio. If an authorization policy is created for a TCP service that includes a DENY rule with a prefix wildcard, Istio translates this into an Envoy string match, incorrectly removing the wildcard. This flaw allows an attacker to subvert particular DENY rules, potentially gaining access to restricted resources."], "mitigation": {"lang": "en:us", "value": "In regards to an AuthorizationPolicy for a TCP service, if using a DENY rule in the source principal (or namespace field) such as:\napiVersion: security.istio.io/v1beta1\nkind: AuthorizationPolicy\n...\nspec: \naction: DENY\nrules:\n- from:\n- source:\nprincipals:\n- */ns/servicemesh\nConsider using an exact or suffix match instead such as:\n- /foo/bar/ns/servicemesh"}, "name": "CVE-2020-16844", "public_date": "2020-08-11T19:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-16844\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-16844\nhttps://istio.io/latest/news/security/istio-security-2020-009/"], "threat_severity": "Moderate", "upstream_fix": "istio 1.5.9, istio 1.6.8"}