Remote Exploit in Istio's Authorization Policy Handling
CVE-2021-31920

6.5MEDIUM

Key Information:

Vendor: Istio
Status: Istio
Vendor: CVE Published:; 27 May 2021

What is CVE-2021-31920?

Istio versions prior to 1.8.6 and 1.9.5 contain a vulnerability that enables attackers to bypass authorization policies through specially crafted HTTP request paths. By using multiple slashes or escaped slash characters (%2F or %5C), an attacker can exploit this flaw, compromising the security framework intended to protect service interactions.

References

https://istio.io/latest/news/security/istio-security-2021...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2021
Vulnerability Reserved
Apr 30, 2021

CVE-2021-31920 Data

JSON