istio

Link package | bugs open | bugs closed | Wiki | GitHub | web search
Description Istio configuration command line utility for service operators to debug and diagnose their Istio mesh.
Version 1.12.1-1 [community]

Resolved

Group Affected Fixed Severity Status Ticket
AVG-2321 1.11.0-1 1.11.1-1 High Fixed
AVG-2113 1.10.1-1 1.10.2-1 Critical Fixed
AVG-1947 1.9.2-1 1.10.0-1 Critical Fixed FS#70808
Issue Group Severity Remote Type Description
CVE-2021-39156 AVG-2321 High Yes Access restriction bypass
Istio before version 1.11.1 contains a remotely exploitable vulnerability where an HTTP request with #fragment in the path may bypass Istio's URI path based...
CVE-2021-39155 AVG-2321 High Yes Access restriction bypass
A security issue has been found in Istio before version 1.11.1. According to RFC 4343, Istio authorization policy should compare the hostname in the HTTP...
CVE-2021-34824 AVG-2113 Critical Yes Information disclosure
Istio before version 1.10.2 contains a remotely exploitable vulnerability where credentials specified in the Gateway and DestinationRule credentialName...
CVE-2021-32781 AVG-2321 High Yes Arbitrary code execution
Envoy, as used by Istio before version 1.11.1, contains a remotely exploitable vulnerability that affects Envoy’s decompressor, json- transcoder or grpc-web...
CVE-2021-32780 AVG-2321 High Yes Denial of service
Envoy, as used by Istio before version 1.11.1, contains a remotely exploitable vulnerability where an untrusted upstream service could cause Envoy to...
CVE-2021-32778 AVG-2321 High Yes Denial of service
Envoy, as used by Istio before version 1.11.1, contains a remotely exploitable vulnerability where an Envoy client opening and then resetting a large number...
CVE-2021-32777 AVG-2321 High Yes Insufficient validation
Envoy, as used by Istio before version 1.11.1, contains a remotely exploitable vulnerability that an HTTP request with multiple value headers could do an...
CVE-2021-31921 AVG-1947 Critical Yes Authentication bypass
Istio before version 1.9.5 contains a remotely exploitable vulnerability where an external client can access unexpected services in the cluster, bypassing...
CVE-2021-31920 AVG-1947 High Yes Authentication bypass
Istio before version 1.9.5 contains a remotely exploitable vulnerability where an HTTP request path with multiple slashes or escaped slash characters (%2F...
CVE-2021-29492 AVG-1947 High Yes Authentication bypass
Envoy before version 1.18.3, and subsequently Istio before version 1.9.5, contains a remotely exploitable authorization bypass vulnerability. An attacker...
CVE-2021-29258 AVG-1947 High Yes Denial of service
Envoy before version 1.18.0, and subsequently Istio before version 1.9.3, contains a remotely exploitable vulnerability where an HTTP2 request with an empty...
CVE-2021-28683 AVG-1947 High Yes Denial of service
Envoy before version 1.18.0, and subsequently Istio before version 1.9.3, contains a remotely exploitable NULL pointer dereference and crash in TLS when an...
CVE-2021-28682 AVG-1947 High Yes Arbitrary code execution
Envoy before version 1.18.0, and subsequently Istio before version 1.9.3, contains a remotely exploitable integer overflow in which a very large...

Advisories

Date Advisory Group Severity Type
01 Jul 2021 ASA-202107-3 AVG-2113 Critical information disclosure