{"containers": {"cna": {"affected": [{"product": "istio", "vendor": "istio", "versions": [{"status": "affected", "version": "<= 1.9.8"}, {"status": "affected", "version": ">= 1.10.0, < 1.10.4"}, {"status": "affected", "version": ">= 1.11.0, < 1.11.1"}]}], "descriptions": [{"lang": "en", "value": "Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. According to [RFC 4343](https://datatracker.ietf.org/doc/html/rfc4343), Istio authorization policy should compare the hostname in the HTTP Host header in a case insensitive way, but currently the comparison is case sensitive. The proxy will route the request hostname in a case-insensitive way which means the authorization policy could be bypassed. As an example, the user may have an authorization policy that rejects request with hostname \"httpbin.foo\" for some source IPs, but the attacker can bypass this by sending the request with hostname \"Httpbin.Foo\". Patches are available in Istio 1.11.1, Istio 1.10.4 and Istio 1.9.8. As a work around a Lua filter may be written to normalize Host header before the authorization check. This is similar to the Path normalization presented in the [Security Best Practices](https://istio.io/latest/docs/ops/best-practices/security/#case-normalization) guide."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-178", "description": "CWE-178: Improper Handling of Case Sensitivity", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-08-24T22:25:17", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/istio/istio/security/advisories/GHSA-7774-7vr3-cc8j"}, {"tags": ["x_refsource_MISC"], "url": "https://datatracker.ietf.org/doc/html/rfc4343"}], "source": {"advisory": "GHSA-7774-7vr3-cc8j", "discovery": "UNKNOWN"}, "title": "Authorization Policy Bypass Due to Case Insensitive Host Comparison", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-39155", "STATE": "PUBLIC", "TITLE": "Authorization Policy Bypass Due to Case Insensitive Host Comparison"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "istio", "version": {"version_data": [{"version_value": "<= 1.9.8"}, {"version_value": ">= 1.10.0, < 1.10.4"}, {"version_value": ">= 1.11.0, < 1.11.1"}]}}]}, "vendor_name": "istio"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. According to [RFC 4343](https://datatracker.ietf.org/doc/html/rfc4343), Istio authorization policy should compare the hostname in the HTTP Host header in a case insensitive way, but currently the comparison is case sensitive. The proxy will route the request hostname in a case-insensitive way which means the authorization policy could be bypassed. As an example, the user may have an authorization policy that rejects request with hostname \"httpbin.foo\" for some source IPs, but the attacker can bypass this by sending the request with hostname \"Httpbin.Foo\". Patches are available in Istio 1.11.1, Istio 1.10.4 and Istio 1.9.8. As a work around a Lua filter may be written to normalize Host header before the authorization check. This is similar to the Path normalization presented in the [Security Best Practices](https://istio.io/latest/docs/ops/best-practices/security/#case-normalization) guide."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-178: Improper Handling of Case Sensitivity"}]}]}, "references": {"reference_data": [{"name": "https://github.com/istio/istio/security/advisories/GHSA-7774-7vr3-cc8j", "refsource": "CONFIRM", "url": "https://github.com/istio/istio/security/advisories/GHSA-7774-7vr3-cc8j"}, {"name": "https://datatracker.ietf.org/doc/html/rfc4343", "refsource": "MISC", "url": "https://datatracker.ietf.org/doc/html/rfc4343"}]}, "source": {"advisory": "GHSA-7774-7vr3-cc8j", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:58:18.140Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/istio/istio/security/advisories/GHSA-7774-7vr3-cc8j"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://datatracker.ietf.org/doc/html/rfc4343"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-39155", "datePublished": "2021-08-24T22:25:18", "dateReserved": "2021-08-16T00:00:00", "dateUpdated": "2024-08-04T01:58:18.140Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*", "matchCriteriaId": "2FBF48C6-1E39-4692-A652-27E7DCDC81BC", "versionEndExcluding": "1.9.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*", "matchCriteriaId": "59BD6BCF-15CE-49D9-B487-EEA603D3D5CC", "versionEndExcluding": "1.10.4", "versionStartIncluding": "1.10.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*", "matchCriteriaId": "886DF572-26C9-4BC9-875F-F043D445C346", "versionEndExcluding": "1.11.1", "versionStartIncluding": "1.11.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. According to [RFC 4343](https://datatracker.ietf.org/doc/html/rfc4343), Istio authorization policy should compare the hostname in the HTTP Host header in a case insensitive way, but currently the comparison is case sensitive. The proxy will route the request hostname in a case-insensitive way which means the authorization policy could be bypassed. As an example, the user may have an authorization policy that rejects request with hostname \"httpbin.foo\" for some source IPs, but the attacker can bypass this by sending the request with hostname \"Httpbin.Foo\". Patches are available in Istio 1.11.1, Istio 1.10.4 and Istio 1.9.8. As a work around a Lua filter may be written to normalize Host header before the authorization check. This is similar to the Path normalization presented in the [Security Best Practices](https://istio.io/latest/docs/ops/best-practices/security/#case-normalization) guide."}, {"lang": "es", "value": "Istio es una plataforma de c\u00f3digo abierto que proporciona una forma uniforme de integrar microservicios, administrar el flujo de tr\u00e1fico entre microservicios, aplicar pol\u00edticas y agregar datos de telemetr\u00eda. Seg\u00fan [RFC 4343](https://datatracker.ietf.org/doc/html/rfc4343), la pol\u00edtica de autorizaci\u00f3n de Istio deber\u00eda comparar el nombre de host en el encabezado HTTP Host de forma no sensible a may\u00fasculas y min\u00fasculas, pero actualmente la comparaci\u00f3n es sensible a may\u00fasculas y min\u00fasculas. El proxy enrutar\u00e1 el nombre de host de la petici\u00f3n de forma no sensible a may\u00fasculas y min\u00fasculas, lo que significa que la pol\u00edtica de autorizaci\u00f3n podr\u00eda ser omitida. Por ejemplo, el usuario puede tener una pol\u00edtica de autorizaci\u00f3n que rechace peticiones con el nombre de host \"httpbin.foo\" para algunas IPs de origen, pero el atacante puede omitir esto mediante el env\u00edo de la petici\u00f3n con el nombre de host \"Httpbin.Foo\". Los parches est\u00e1n disponibles en Istio versi\u00f3n 1.11.1, Istio versi\u00f3n 1.10.4 e Istio versi\u00f3n 1.9.8. Como soluci\u00f3n, puede escribirse un filtro Lua para normalizar el encabezado Host antes de la comprobaci\u00f3n de la autorizaci\u00f3n. Esto es similar a la normalizaci\u00f3n de la Ruta presentada en la gu\u00eda [Security Best Practices](https://istio.io/latest/docs/ops/best-practices/security/#case-normalization)."}], "id": "CVE-2021-39155", "lastModified": "2024-02-21T21:01:31.320", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-08-24T23:15:07.093", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://datatracker.ietf.org/doc/html/rfc4343"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/istio/istio/security/advisories/GHSA-7774-7vr3-cc8j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-178"}, {"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-178"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank the Istio Product Security Working Group for reporting this issue.", "affected_release": [{"advisory": "RHSA-2021:3273", "cpe": "cpe:/a:redhat:service_mesh:1.1::el8", "package": "servicemesh-0:1.1.17-3.el8", "product_name": "OpenShift Service Mesh 1.1", "release_date": "2021-08-25T00:00:00Z"}, {"advisory": "RHSA-2021:3272", "cpe": "cpe:/a:redhat:service_mesh:2.0::el8", "package": "servicemesh-0:2.0.7-3.el8", "product_name": "OpenShift Service Mesh 2.0", "release_date": "2021-08-25T00:00:00Z"}], "bugzilla": {"description": "istio/istio: HTTP request can bypass authorization mechanisms due to case insensitive host comparison", "id": "1996929", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1996929"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L", "status": "verified"}, "cwe": "CWE-863", "details": ["Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. According to [RFC 4343](https://datatracker.ietf.org/doc/html/rfc4343), Istio authorization policy should compare the hostname in the HTTP Host header in a case insensitive way, but currently the comparison is case sensitive. The proxy will route the request hostname in a case-insensitive way which means the authorization policy could be bypassed. As an example, the user may have an authorization policy that rejects request with hostname \"httpbin.foo\" for some source IPs, but the attacker can bypass this by sending the request with hostname \"Httpbin.Foo\". Patches are available in Istio 1.11.1, Istio 1.10.4 and Istio 1.9.8. As a work around a Lua filter may be written to normalize Host header before the authorization check. This is similar to the Path normalization presented in the [Security Best Practices](https://istio.io/latest/docs/ops/best-practices/security/#case-normalization) guide.", "An authorization bypass vulnerability was found in istio/istio. The case insensitive host comparison incorrectly works when evaluating rules specified with `host` or `notHost`. This flaw allows an attacker to bypass an Istio authorization policy that uses hosts in the rules, potentially gaining access to the downstream services. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability."], "name": "CVE-2021-39155", "public_date": "2021-08-24T19:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-39155\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-39155\nhttps://istio.io/latest/news/security/istio-security-2021-008/"], "threat_severity": "Important", "upstream_fix": "istio 1.11.1, istio 1.10.4, istio 1.9.8"}