Main Vulnerability Database Vulnerabilities #VU53523

#VU53523 Improper Authorization in Istio - CVE-2021-31921

Published: May 25, 2021

Vulnerability identifier: #VU53523

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2021-31921

CWE-ID: CWE-285

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Istio

Software vendor:
Istio

Description

The vulnerability allows a remote attacker to bypass authorization procedure.

The vulnerability exists due to a logic issue when the istio gateway is configured with TLS mode `AUTO_PASSTHROUGH`. A remote non-authenticated attacker can bypass authorization checks and gain unauthorized access to services in the cluster.

Successful exploitation of the vulnerability may allow an attacker to compromise the affected system.

Remediation

Install updates from vendor's website.

External links

https://istio.io/latest/news/security/istio-security-2021-006/