ISTIO-SECURITY-2020-002

Mixer policy check bypass caused by improperly accepting certain request headers.

Feb 11, 2020

Disclosure Details
CVE(s)CVE-2020-8843
CVSS Impact Score7.4 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Affected Releases1.3 to 1.3.6

Istio 1.3 to 1.3.6 contain a vulnerability affecting Mixer policy checks.

Note: We regret that the vulnerability was silently fixed in Istio 1.4.0 and Istio 1.3.7. An issue was raised and fixed in Istio 1.4.0 as a non-security issue. We reclassified the issue as a vulnerability in Dec 2019.

Mitigation

Credit

The Istio team would like to thank Krishnan Anantheswaran and Eric Zhang of Splunk for the private bug report.

Reporting vulnerabilities

We’d like to remind our community to follow the vulnerability reporting process to report any bug that can result in a security vulnerability.