ISTIO-SECURITY-2022-008

Identity impersonation if user has localhost access.

Nov 9, 2022

Disclosure Details
CVE(s)CVE-2022-39388
CVSS Impact Score7.6 AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Affected Releases1.15.2

CVE

CVE-2022-39388

User can impersonate any workload identity within the service mesh if they have localhost access to the Istiod control plane.

Am I Impacted?

You are at most risk if you are running Istio 1.15.2 and users have access to the machine where Istiod is running.