CVE-2021-39155 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	High
Remote	Yes
Type	Access restriction bypass
Description	A security issue has been found in Istio before version 1.11.1. According to RFC 4343, Istio authorization policy should compare the hostname in the HTTP Host header in a case insensitive way, but currently the comparison is case sensitive. The proxy will route the request hostname in a case-insensitive way which means the authorization policy could be bypassed. As an example, the user may have an authorization policy that rejects request with hostname "httpbin.foo" for some source IPs, but the attacker can bypass this by sending the request with hostname "Httpbin.Foo".

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-2321	istio	1.11.0-1	1.11.1-1	High	Fixed

References
https://github.com/istio/istio/security/advisories/GHSA-7774-7vr3-cc8j https://istio.io/latest/news/security/istio-security-2021-008/#cve-2021-39155 https://github.com/istio/istio/commit/90b00bdf891e6c770cb3235c14a9b1fda96cc7c5

References

https://github.com/istio/istio/security/advisories/GHSA-7774-7vr3-cc8j
https://istio.io/latest/news/security/istio-security-2021-008/#cve-2021-39155
https://github.com/istio/istio/commit/90b00bdf891e6c770cb3235c14a9b1fda96cc7c5