{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Istio (1.8.x, 1.9.0-1.9.5 and 1.10.0-1.10.1) contains a remotely exploitable vulnerability where credentials specified in the Gateway and DestinationRule credentialName field can be accessed from different namespaces."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-07-07T14:30:14", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/istio/istio/releases"}, {"tags": ["x_refsource_MISC"], "url": "https://istio.io/latest/news/security/istio-security-2021-007"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-34824", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Istio (1.8.x, 1.9.0-1.9.5 and 1.10.0-1.10.1) contains a remotely exploitable vulnerability where credentials specified in the Gateway and DestinationRule credentialName field can be accessed from different namespaces."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/istio/istio/releases", "refsource": "MISC", "url": "https://github.com/istio/istio/releases"}, {"name": "https://istio.io/latest/news/security/istio-security-2021-007", "refsource": "MISC", "url": "https://istio.io/latest/news/security/istio-security-2021-007"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T00:26:54.057Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/istio/istio/releases"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://istio.io/latest/news/security/istio-security-2021-007"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-34824", "datePublished": "2021-06-29T13:30:01", "dateReserved": "2021-06-17T00:00:00", "dateUpdated": "2024-08-04T00:26:54.057Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*", "matchCriteriaId": "6A6CA313-1E72-4FB9-BC66-807867DC5D5F", "versionEndExcluding": "1.9.6", "versionStartIncluding": "1.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*", "matchCriteriaId": "C8E5F796-20CB-492C-89EE-700291C82018", "versionEndExcluding": "1.10.2", "versionStartIncluding": "1.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Istio (1.8.x, 1.9.0-1.9.5 and 1.10.0-1.10.1) contains a remotely exploitable vulnerability where credentials specified in the Gateway and DestinationRule credentialName field can be accessed from different namespaces."}, {"lang": "es", "value": "Istio (versiones 1.8.x, 1.9.0-1.9.5 y 1.10.0-1.10.1) contiene una vulnerabilidad explotable de forma remota en la que se puede acceder a las credenciales especificadas en el campo Gateway y DestinationRule credentialName desde diferentes espacios de nombres"}], "id": "CVE-2021-34824", "lastModified": "2022-07-12T17:42:04.277", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-06-29T14:15:08.500", "references": [{"source": "cve@mitre.org", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/istio/istio/releases"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://istio.io/latest/news/security/istio-security-2021-007"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Upstream acknowledges the Istio project as the original reporter.", "bugzilla": {"description": "istio: istiod propagates user-specified TLS keys and certificates to the secure Istio gateways", "id": "1973478", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1973478"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L", "status": "draft"}, "cwe": "CWE-863", "details": ["Istio (1.8.x, 1.9.0-1.9.5 and 1.10.0-1.10.1) contains a remotely exploitable vulnerability where credentials specified in the Gateway and DestinationRule credentialName field can be accessed from different namespaces.", "A flaw was found in istio. Any client authorized to access Istio XDS API can retrieve any cached gateway TLS certificate and private keys. The highest threat from this vulnerability is to data confidentiality."], "mitigation": {"lang": "en:us", "value": "This vulnerability can be mitigated by disabling istiod caching. This is controlled by the `PILOT_ENABLE_XDS_CACHE` environment variable being set to `false` on istiod. \nNote: since this disables XDS caching, it may impact the performance of istiod."}, "name": "CVE-2021-34824", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:1", "fix_state": "Not affected", "package_name": "servicemesh", "product_name": "OpenShift Service Mesh 1"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Not affected", "package_name": "servicemesh", "product_name": "OpenShift Service Mesh 2.0"}], "public_date": "2021-06-29T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-34824\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-34824\nhttps://istio.io/latest/news/security/istio-security-2021-007/"], "threat_severity": "Important", "upstream_fix": "istio 1.9.6, istio 1.10.2"}