{"containers": {"cna": {"affected": [{"product": "istio", "vendor": "istio", "versions": [{"status": "affected", "version": "< 1.9.8"}, {"status": "affected", "version": ">= 1.10.0, < 1.10.4"}, {"status": "affected", "version": ">= 1.11.0, < 1.11.1"}]}], "descriptions": [{"lang": "en", "value": "Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. Istio 1.11.0, 1.10.3 and below, and 1.9.7 and below contain a remotely exploitable vulnerability where an HTTP request with `#fragment` in the path may bypass Istio\u2019s URI path based authorization policies. Patches are available in Istio 1.11.1, Istio 1.10.4 and Istio 1.9.8. As a work around a Lua filter may be written to normalize the path."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-08-24T22:30:12", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/istio/istio/security/advisories/GHSA-hqxw-mm44-gc4r"}, {"tags": ["x_refsource_MISC"], "url": "https://istio.io/latest/news/security/istio-security-2021-008"}], "source": {"advisory": "GHSA-hqxw-mm44-gc4r", "discovery": "UNKNOWN"}, "title": "Fragments in Path May Lead to Authorization Policy Bypass", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-39156", "STATE": "PUBLIC", "TITLE": "Fragments in Path May Lead to Authorization Policy Bypass"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "istio", "version": {"version_data": [{"version_value": "< 1.9.8"}, {"version_value": ">= 1.10.0, < 1.10.4"}, {"version_value": ">= 1.11.0, < 1.11.1"}]}}]}, "vendor_name": "istio"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. Istio 1.11.0, 1.10.3 and below, and 1.9.7 and below contain a remotely exploitable vulnerability where an HTTP request with `#fragment` in the path may bypass Istio\u2019s URI path based authorization policies. Patches are available in Istio 1.11.1, Istio 1.10.4 and Istio 1.9.8. As a work around a Lua filter may be written to normalize the path."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-863: Incorrect Authorization"}]}]}, "references": {"reference_data": [{"name": "https://github.com/istio/istio/security/advisories/GHSA-hqxw-mm44-gc4r", "refsource": "CONFIRM", "url": "https://github.com/istio/istio/security/advisories/GHSA-hqxw-mm44-gc4r"}, {"name": "https://istio.io/latest/news/security/istio-security-2021-008", "refsource": "MISC", "url": "https://istio.io/latest/news/security/istio-security-2021-008"}]}, "source": {"advisory": "GHSA-hqxw-mm44-gc4r", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:58:18.136Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/istio/istio/security/advisories/GHSA-hqxw-mm44-gc4r"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://istio.io/latest/news/security/istio-security-2021-008"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-39156", "datePublished": "2021-08-24T22:30:12", "dateReserved": "2021-08-16T00:00:00", "dateUpdated": "2024-08-04T01:58:18.136Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*", "matchCriteriaId": "2FBF48C6-1E39-4692-A652-27E7DCDC81BC", "versionEndExcluding": "1.9.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*", "matchCriteriaId": "69176EED-4FB2-4CDF-A510-90C6F46C3E86", "versionEndExcluding": "1.10.3", "versionStartIncluding": "1.10.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*", "matchCriteriaId": "886DF572-26C9-4BC9-875F-F043D445C346", "versionEndExcluding": "1.11.1", "versionStartIncluding": "1.11.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. Istio 1.11.0, 1.10.3 and below, and 1.9.7 and below contain a remotely exploitable vulnerability where an HTTP request with `#fragment` in the path may bypass Istio\u2019s URI path based authorization policies. Patches are available in Istio 1.11.1, Istio 1.10.4 and Istio 1.9.8. As a work around a Lua filter may be written to normalize the path."}, {"lang": "es", "value": "Istio es una plataforma de c\u00f3digo abierto que proporciona una forma uniforme de integrar microservicios, administrar el flujo de tr\u00e1fico entre microservicios, aplicar pol\u00edticas y agregar datos de telemetr\u00eda. Istio versiones 1.11.0, 1.10.3 y por debajo, y versiones 1.9.7 y por debajo, contienen una vulnerabilidad explotable de forma remota en la que una petici\u00f3n HTTP con el par\u00e1metro \"#fragment\" en la ruta puede omitir las pol\u00edticas de autorizaci\u00f3n basadas en la ruta URI de Istio. Los parches est\u00e1n disponibles en Istio versi\u00f3n 1.11.1, Istio versi\u00f3n 1.10.4 e Istio versi\u00f3n 1.9.8. Como soluci\u00f3n, puede escribirse un filtro Lua para normalizar la ruta."}], "id": "CVE-2021-39156", "lastModified": "2023-11-07T03:37:34.650", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-08-24T23:15:10.413", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/istio/istio/security/advisories/GHSA-hqxw-mm44-gc4r"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://istio.io/latest/news/security/istio-security-2021-008"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-706"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank the Istio Product Security Working Group for reporting this issue.", "affected_release": [{"advisory": "RHSA-2021:3273", "cpe": "cpe:/a:redhat:service_mesh:1.1::el8", "package": "servicemesh-0:1.1.17-3.el8", "product_name": "OpenShift Service Mesh 1.1", "release_date": "2021-08-25T00:00:00Z"}, {"advisory": "RHSA-2021:3272", "cpe": "cpe:/a:redhat:service_mesh:2.0::el8", "package": "servicemesh-0:2.0.7-3.el8", "product_name": "OpenShift Service Mesh 2.0", "release_date": "2021-08-25T00:00:00Z"}], "bugzilla": {"description": "istio/istio: HTTP request with fragment in URI can bypass authorization mechanisms", "id": "1996915", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1996915"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L", "status": "verified"}, "cwe": "CWE-863", "details": ["Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. Istio 1.11.0, 1.10.3 and below, and 1.9.7 and below contain a remotely exploitable vulnerability where an HTTP request with `#fragment` in the path may bypass Istio\u2019s URI path based authorization policies. Patches are available in Istio 1.11.1, Istio 1.10.4 and Istio 1.9.8. As a work around a Lua filter may be written to normalize the path.", "An authorization bypass vulnerability was found in istio/istio. An HTTP request is incorrectly evaluated when a URI #fragment is specified. This flaw allows an attacker to bypass an Istio URI-based authorization rule. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability."], "name": "CVE-2021-39156", "public_date": "2021-08-24T19:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-39156\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-39156\nhttps://istio.io/latest/news/security/istio-security-2021-008/"], "threat_severity": "Important", "upstream_fix": "istio 1.11.1, istio 1.10.4, istio 1.9.8"}