CVE-2022-21679

EUVD-2022-26891
Istio is an open platform to connect, manage, and secure microservices. In Istio 1.12.0 and 1.12.1 The authorization policy with hosts and notHosts might be accidentally bypassed for ALLOW action or rejected unexpectedly for DENY action during the upgrade from 1.11 to 1.12.0/1.12.1. Istio 1.12 supports the hosts and notHosts fields in authorization policy with a new Envoy API shipped with the 1.12 data plane. A bug in the 1.12.0 and 1.12.1 incorrectly uses the new Envoy API with the 1.11 data plane. This will cause the hosts and notHosts fields to be always matched regardless of the actual value of the host header when mixing 1.12.0/1.12.1 control plane and 1.11 data plane. Users are advised to upgrade or to not mix the 1.12.0/1.12.1 control plane with 1.11 data plane if using hosts or notHosts field in authorization policy.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.8 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
GitHub_MCNA
6.8 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 40%
Affected Products (NVD)
VendorProductVersion
istioistio
1.12.0
istioistio
1.12.0:alpha0
istioistio
1.12.0:alpha1
istioistio
1.12.0:alpha5
istioistio
1.12.0:beta0
istioistio
1.12.0:beta1
istioistio
1.12.0:beta2
istioistio
1.12.0:rc1
istioistio
1.12.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/istio/istio/security/advisories/GHSA-rwfr-xrvw-2rvv
https://istio.io/latest/news/releases/1.12.x/announcing-1.12.2/
https://github.com/istio/istio/security/advisories/GHSA-rwfr-xrvw-2rvv
https://istio.io/latest/news/releases/1.12.x/announcing-1.12.2/