Istio Fragments in Path May Lead to Authorization Policy Bypass
Package
Affected versions
< 1.9.8
>= 1.10.0, < 1.10.4
= 1.11.0
Patched versions
1.9.8
1.10.4
1.11.1
Description
Published by the National Vulnerability Database
Aug 24, 2021
Reviewed
Aug 25, 2021
Published to the GitHub Advisory Database
Aug 30, 2021
Last updated
Jan 27, 2023
Impact
Istio 1.11.0, 1.10.3 and below, and 1.9.7 and below contain a remotely exploitable vulnerability where an HTTP request with
#fragment
in the path may bypass Istio’s URI path based authorization policies.Patches
Workarounds
A Lua filter may be written to normalize the path. This is similar to the Path normalization presented in the Security Best Practices guide.
References
More details can be found in the Istio Security Bulletin
For more information
If you have any questions or comments about this advisory, please email us at istio-security-vulnerability-reports@googlegroups.com
References