CVE-2022-39388
Istio may allow identity impersonation if user has localhost access
Istio is an open platform to connect, manage, and secure microservices. In versions on the 1.15.x branch prior to 1.15.3, a user can impersonate any workload identity within the service mesh if they have localhost access to the Istiod control plane. Version 1.15.3 contains a patch for this issue. There are no known workarounds.
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Produtos afetados
istio · istioQuer saber se a sua infraestrutura está exposta a isto?
Falar com a TrueHacking →Referências
https://github.com/istio/istio/commit/346260e5115e9fbc65ba8a559bc686e6ca046a32https://github.com/istio/istio/commit/9a643e270421560afb2630e00f76d46a55499df9https://github.com/istio/istio/security/advisories/GHSA-6c6p-h79f-g6p4https://istio.io/latest/news/releases/1.15.x/announcing-1.15.3/