GHSA-82mm-ffjr-h86c

Suggest an improvement
Source
https://github.com/advisories/GHSA-82mm-ffjr-h86c
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-82mm-ffjr-h86c/GHSA-82mm-ffjr-h86c.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-82mm-ffjr-h86c
Aliases
Published
2022-02-15T01:57:18Z
Modified
2023-11-01T04:52:07.280870Z
Severity
  • 6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Authorization bypass in Istio
Details

In Istio 1.5.0 though 1.5.8 and Istio 1.6.0 through 1.6.7, when users specify an AuthorizationPolicy resource with DENY actions using wildcard suffixes (e.g. *-some-suffix) for source principals or namespace fields, callers will never be denied access, bypassing the intended policy.

Specific Go Packages Affected

istio.io/istio/pilot/pkg/security/authz/model/matcher

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-284"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-12T21:59:07Z"
}
References

Affected packages

Go / istio.io/istio

Package

Name
istio.io/istio
View open source insights on deps.dev
Purl
pkg:golang/istio.io/istio

Affected ranges

Type
SEMVER
Events
Introduced
1.5.0
Fixed
1.5.9

Go / istio.io/istio

Package

Name
istio.io/istio
View open source insights on deps.dev
Purl
pkg:golang/istio.io/istio

Affected ranges

Type
SEMVER
Events
Introduced
1.6.0
Fixed
1.6.8