AuthorizationPolicy Bypass in Istio 1.5 and 1.6 by Istio
CVE-2020-16844

6.8MEDIUM

Key Information:

Vendor: Istio
Status: Istio
Vendor: CVE Published:; 1 October 2020

What is CVE-2020-16844?

In certain versions of Istio, users can configure an AuthorizationPolicy resource that includes DENY actions. However, when wildcard suffixes are used in the source principals or namespace fields, the policy may not function as intended. Callers utilizing these wildcard suffixes could gain unauthorized access, effectively bypassing the denial specified in the policy, which compromises security postures.

References

https://github.com/istio/istio/releases

x_refsource_MISC

https://istio.io/latest/news/security/istio-security-2020...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 1, 2020
Vulnerability Reserved
Aug 4, 2020

CVE-2020-16844 Data

JSON