Access Token Mismanagement in Istio by Google
CVE-2019-12995

7.5HIGH

Key Information:

Vendor

Istio

Status
Istio
Vendor
CVE Published:
28 June 2019

What is CVE-2019-12995?

The vulnerability arises from the handling of access tokens in Istio versions before 1.2.2, causing Envoy to encounter a segmentation fault, which results in the error message 'Epoch 0 terminated with an error.' This issue is particularly related to the jwt_authenticator component, highlighting a significant flaw in how access tokens are processed, which could impact the stability and security of applications relying on Istio.

References

https://istio.io/about/notes/
x_refsource_MISC
https://github.com/istio/istio/issues/15084
x_refsource_MISC
https://github.com/istio/istio.io/pull/4555
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.