GHSA-6c6p-h79f-g6p4
Suggest an improvement- Source
- https://github.com/advisories/GHSA-6c6p-h79f-g6p4
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-6c6p-h79f-g6p4/GHSA-6c6p-h79f-g6p4.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-6c6p-h79f-g6p4
- Aliases
- Related
- Published
- 2022-11-09T22:07:01Z
- Modified
- 2023-11-01T04:59:51.452608Z
- Severity
-
- 7.6 (High) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N CVSS Calculator
- Summary
- Istio may allow identity impersonation if user has localhost access
- Details
-
Impact
User can impersonate any workload identity within the service mesh if they have localhost access to the Istiod control plane.
Patches
1.15.3
Workarounds
No. If using 1.15.2 please upgrade to 1.15.3 or later.
References
None at this time.
For more information
If you have any questions or comments about this advisory, please email us at istio-security-vulnerability-reports@googlegroups.com
- Database specific
{ "nvd_published_at": "2022-11-10T20:15:00Z", "cwe_ids": [ "CWE-863" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2022-11-09T22:07:01Z" }- References
-
- https://github.com/istio/istio/security/advisories/GHSA-6c6p-h79f-g6p4
- https://nvd.nist.gov/vuln/detail/CVE-2022-39388
- https://github.com/istio/istio/commit/346260e5115e9fbc65ba8a559bc686e6ca046a32
- https://github.com/istio/istio/commit/9a643e270421560afb2630e00f76d46a55499df9
- https://github.com/istio/istio
- https://istio.io/latest/news/releases/1.15.x/announcing-1.15.3
Affected packages
Go / github.com/istio/istio
Package
- Name
- github.com/istio/istio
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/istio/istio