Vulnerabilities > CVE-2022-39388 - Incorrect Authorization vulnerability in Istio 1.15.0/1.15.1/1.15.2
Attack vector
ADJACENT_NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
NONE Integrity impact
LOW Availability impact
NONE Summary
Istio is an open platform to connect, manage, and secure microservices. In versions on the 1.15.x branch prior to 1.15.3, a user can impersonate any workload identity within the service mesh if they have localhost access to the Istiod control plane. Version 1.15.3 contains a patch for this issue. There are no known workarounds.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 6 |
Common Weakness Enumeration (CWE)
References
- https://github.com/istio/istio/commit/346260e5115e9fbc65ba8a559bc686e6ca046a32
- https://github.com/istio/istio/commit/346260e5115e9fbc65ba8a559bc686e6ca046a32
- https://github.com/istio/istio/commit/9a643e270421560afb2630e00f76d46a55499df9
- https://github.com/istio/istio/commit/9a643e270421560afb2630e00f76d46a55499df9
- https://github.com/istio/istio/security/advisories/GHSA-6c6p-h79f-g6p4
- https://github.com/istio/istio/security/advisories/GHSA-6c6p-h79f-g6p4
- https://istio.io/latest/news/releases/1.15.x/announcing-1.15.3/
- https://istio.io/latest/news/releases/1.15.x/announcing-1.15.3/