Policy Bypass in Istio Proxy on Istio for Ingress Traffic
CVE-2020-8843

7.4HIGH

Key Information:

Vendor

Istio

Status
Istio
Vendor
CVE Published:
14 February 2020

What is CVE-2020-8843?

A vulnerability exists in certain versions of Istio where the Mixer policy enforcement can be bypassed when specific conditions are met. This occurs particularly in the handling of the 'x-istio-attributes' header at ingress, allowing attackers to influence policy decisions by encoding a 'source.uid'. While this feature is disabled by default in Istio 1.3 and 1.4, it remains critical for users with configurations that enable this functionality to assess their security posture and potential exposure.

References

https://github.com/istio/istio/commits/master
x_refsource_MISC
https://istio.io/news/security/
x_refsource_MISC
https://istio.io/news/security/istio-security-2020-002/
x_refsource_CONFIRM

CVSS V3.1

Score:
7.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.