GHSA-6c6p-h79f-g6p4: Istio may allow identity impersonation if user has localhost access

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2022-39388

Istio may allow identity impersonation if user has localhost access

High severity GitHub Reviewed Published Nov 9, 2022 in istio/istio

Vulnerability details Dependabot alerts 0

Package

gomod github.com/istio/istio (Go)

Affected versions

>= 1.15.0-beta.0, < 1.15.3

Patched versions

1.15.3

Description

Impact

User can impersonate any workload identity within the service mesh if they have localhost access to the Istiod control plane.

Patches

1.15.3

Workarounds

No. If using 1.15.2 please upgrade to 1.15.3 or later.

References

None at this time.

For more information

If you have any questions or comments about this advisory, please email us at [email protected]

References

• GHSA-6c6p-h79f-g6p4
• istio/istio@346260e
• istio/istio@9a643e2
• https://istio.io/latest/news/releases/1.15.x/announcing-1.15.3/

howardjohn published the maintainer security advisory

Nov 9, 2022

Severity

High

7.6

/ 10

CVSS base metrics

Attack vector

Adjacent

Attack complexity

Low

Privileges required

Low

User interaction

None

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

None

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Weaknesses

No CWEs

CVE ID

CVE-2022-39388

GHSA ID

GHSA-6c6p-h79f-g6p4

Source code

istio/istio

Credits

• howardjohn

Checking history

See something to contribute? Suggest improvements for this vulnerability.