CVE-2022-24726

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-24726
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-24726.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-24726
Aliases
  • GHSA-8w5h-qr4r-2h6g
Downstream
Published
2022-03-10T20:45:12Z
Modified
2025-10-23T12:46:07.397979Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Unauthenticated control plane denial of service attack in Istio
Details

Istio is an open platform to connect, manage, and secure microservices. In affected versions the Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted message which results in the control plane crashing when the validating webhook for a cluster is exposed publicly. This endpoint is served over TLS port 15017, but does not require any authentication from the attacker. For simple installations, Istiod is typically only reachable from within the cluster, limiting the blast radius. However, for some deployments, especially external istiod topologies, this port is exposed over the public internet. This issue has been patched in versions 1.13.2, 1.12.5 and 1.11.8. Users are advised to upgrade. Users unable to upgrade should disable access to a validating webhook that is exposed to the public internet or restrict the set of IP addresses that can query it to a set of known, trusted entities.

Database specific 
{
    "cwe_ids": [
        "CWE-400"
    ]
}
References

Affected packages

Git / github.com/istio/istio

Affected ranges

Type
GIT
Repo
https://github.com/istio/istio
Events
Introduced
016bc46f4a5e0ef3fa135b3c5380ab7765467c1a
Fixed
6332f0901f96ca97cf114d57b466d4bcd055b08c
Database specific 
{
    "versions": [
        {
            "introduced": "1.12.0"
        },
        {
            "fixed": "1.12.5"
        }
    ]
}
Type
GIT
Repo
https://github.com/istio/istio
Events
Introduced
75ee7514615d3a642a7eabaa0ad7c22cea1a1ed0
Fixed
91533d04e894ff86b80acd6d7a4517b144f9e19a
Database specific 
{
    "versions": [
        {
            "introduced": "1.13.0"
        },
        {
            "fixed": "1.13.2"
        }
    ]
}

Affected versions

1.*

1.12.0
1.12.1
1.12.2
1.12.3
1.13.0

Git / github.com/istio/istio

Affected ranges

Type
GIT
Repo
https://github.com/golang/go
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
f8a63418e985d972c86d3da5bf90b7e81b72b468
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "< 1.11.8,"
        }
    ]
}

Affected versions

go1.*

go1.10beta1
go1.10beta2
go1.10rc1
go1.10rc2
go1.11
go1.11.1
go1.11.2
go1.11.3
go1.11.4
go1.11.5
go1.11.6
go1.11.7
go1.11.8
go1.11beta1
go1.11beta2
go1.11beta3
go1.11rc1
go1.11rc2
go1.3beta1
go1.3beta2
go1.4beta1
go1.5beta1
go1.5beta2
go1.5beta3
go1.6beta1
go1.6beta2
go1.7beta1
go1.7beta2
go1.7rc1
go1.7rc2
go1.7rc3
go1.7rc4
go1.8beta1
go1.8beta2
go1.9beta1
go1.9beta2

release.*

release.r56

Other

weekly

weekly.*

weekly.2009-11-06
weekly.2009-11-10
weekly.2009-11-10.1
weekly.2009-11-12
weekly.2009-11-17
weekly.2009-12-07
weekly.2009-12-09
weekly.2009-12-22
weekly.2010-01-05
weekly.2010-01-13
weekly.2010-01-27
weekly.2010-02-04
weekly.2010-02-17
weekly.2010-02-23
weekly.2010-03-04
weekly.2010-03-15
weekly.2010-03-22
weekly.2010-03-30
weekly.2010-04-13
weekly.2010-04-27
weekly.2010-05-04
weekly.2010-05-27
weekly.2010-06-09
weekly.2010-06-21
weekly.2010-07-01
weekly.2010-07-14
weekly.2010-07-29
weekly.2010-08-04
weekly.2010-08-11
weekly.2010-08-25
weekly.2010-09-06
weekly.2010-09-15
weekly.2010-09-22
weekly.2010-09-29
weekly.2010-10-13
weekly.2010-10-13.1
weekly.2010-10-20
weekly.2010-10-27
weekly.2010-11-02
weekly.2010-11-10
weekly.2010-11-23
weekly.2010-12-02
weekly.2010-12-08
weekly.2010-12-15
weekly.2010-12-15.1
weekly.2010-12-22
weekly.2011-01-06
weekly.2011-01-12
weekly.2011-01-19
weekly.2011-01-20
weekly.2011-02-01
weekly.2011-02-01.1
weekly.2011-02-15
weekly.2011-02-24
weekly.2011-03-07
weekly.2011-03-07.1
weekly.2011-03-15
weekly.2011-03-28
weekly.2011-04-04
weekly.2011-04-13
weekly.2011-04-27
weekly.2011-05-22
weekly.2011-06-02
weekly.2011-06-09
weekly.2011-06-16
weekly.2011-06-23
weekly.2011-07-07
weekly.2011-07-19
weekly.2011-07-29
weekly.2011-08-10
weekly.2011-08-17
weekly.2011-09-01
weekly.2011-09-07
weekly.2011-09-16
weekly.2011-09-21
weekly.2011-10-06
weekly.2011-10-18
weekly.2011-10-25
weekly.2011-10-26
weekly.2011-11-01
weekly.2011-11-02
weekly.2011-11-08
weekly.2011-11-09
weekly.2011-11-18
weekly.2011-12-01
weekly.2011-12-02
weekly.2011-12-06
weekly.2011-12-14
weekly.2011-12-22
weekly.2012-01-15
weekly.2012-01-20
weekly.2012-01-27
weekly.2012-02-07
weekly.2012-02-14
weekly.2012-02-22
weekly.2012-03-04
weekly.2012-03-13
weekly.2012-03-22
weekly.2012-03-27