MidnightBSD

Advisories for istio

CVE-2019-12243 MEDIUM

Istio 1.1.x through 1.1.6 has Incorrect Access Control.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
istio istio *
CVE-2019-12995 MEDIUM

Istio before 1.2.2 mishandles certain access tokens, leading to "Epoch 0 terminated with an error" in Envoy. This is related to a jwt_authenticator.cc segmentation fault.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
istio istio *
CVE-2019-14993 MEDIUM

Istio before 1.1.13 and 1.2.x before 1.2.4 mishandles regular expressions for long URIs, leading to a denial of service during use of the JWT, VirtualService, HTTPAPISpecBinding, or QuotaSpecBinding API.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-185,

Products Affected

Vendor Product Version
istio istio *
CVE-2019-18817 MEDIUM

Istio 1.3.x before 1.3.5 allows Denial of Service because continue_on_listener_filters_timeout is set to True, a related issue to CVE-2019-18836.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-835,

Products Affected

Vendor Product Version
istio istio *
CVE-2019-18836 MEDIUM

Envoy 1.12.0 allows a remote denial of service because of resource loops, as demonstrated by a single idle TCP connection being able to keep a worker thread in an infinite busy loop when continue_on_listener_filters_timeout is used."

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-835,

Products Affected

Vendor Product Version
istio istio *
envoyproxy envoy 1.12.0
CVE-2019-25014 MEDIUM

A NULL pointer dereference was found in pkg/proxy/envoy/v2/debug.go getResourceVersion in Istio pilot before 1.5.0-alpha.0. If a particular HTTP GET request is made to the pilot API endpoint, it is possible to cause the Go runtime to panic (resulting in a denial of service to the istio-pilot application).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
istio istio *
redhat openshift_service_mesh 1.0
CVE-2020-10739 MEDIUM

Istio 1.4.x before 1.4.9 and Istio 1.5.x before 1.5.4 contain the following vulnerability when telemetry v2 is enabled: by sending a specially crafted packet, an attacker could trigger a Null Pointer Exception resulting in a Denial of Service. This could be sent to the ingress gateway or a sidecar, triggering a null pointer exception which results in a denial of service. This also affects servicemesh-proxy where a null pointer exception flaw was found in servicemesh-proxy. When running Telemetry v2 (not on by default in version 1.4.x), an attacker could send a specially crafted packet to the ingress gateway or proxy sidecar, triggering a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
secalert@redhat.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,CWE-476,

Products Affected

Vendor Product Version
istio istio *
CVE-2020-11767 LOW

Istio through 1.5.1 and Envoy through 1.14.1 have a data-leak issue. If there is a TCP connection (negotiated with SNI over HTTPS) to *.example.com, a request for a domain concurrently configured explicitly (e.g., abc.example.com) is sent to the server(s) listening behind *.example.com. The outcome should instead be 421 Misdirected Request. Imagine a shared caching forward proxy re-using an HTTP/2 connection for a large subnet with many users. If a victim is interacting with abc.example.com, and a server (for abc.example.com) recycles the TCP connection to the forward proxy, the victim's browser may suddenly start sending sensitive data to a *.example.com server. This occurs because the forward proxy between the victim and the origin server reuses connections (which obeys the specification), but neither Istio nor Envoy corrects this by sending a 421 error. Similarly, this behavior voids the security model browsers have put in place between domains.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.1 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N 1.6 1.4

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
envoyproxy envoy *
istio istio *
CVE-2020-16844 MEDIUM

In Istio 1.5.0 though 1.5.8 and Istio 1.6.0 through 1.6.7, when users specify an AuthorizationPolicy resource with DENY actions using wildcard suffixes (e.g. *-some-suffix) for source principals or namespace fields, callers will never be denied access, bypassing the intended policy.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N 1.6 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
istio istio *
CVE-2020-8595 HIGH

Istio versions 1.2.10 (End of Life) and prior, 1.3 through 1.3.7, and 1.4 through 1.4.3 allows authentication bypass. The Authentication Policy exact-path matching logic can allow unauthorized access to HTTP paths even if they are configured to be only accessed after presenting a valid JWT token. For example, an attacker can add a ? or # character to a URI that would otherwise satisfy an exact-path match.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.3 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 3.9 3.4

CVSS 2.0

Severity: HIGH

Problem Type: CWE-287,

Products Affected

Vendor Product Version
istio istio *
redhat openshift_service_mesh 1.0
CVE-2020-8843 MEDIUM

An issue was discovered in Istio 1.3 through 1.3.6. Under certain circumstances, it is possible to bypass a specifically configured Mixer policy. Istio-proxy accepts the x-istio-attributes header at ingress that can be used to affect policy decisions when Mixer policy selectively applies to a source equal to ingress. To exploit this vulnerability, someone has to encode a source.uid in this header. This feature is disabled by default in Istio 1.3 and 1.4.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.4 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N 2.2 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
istio istio *
CVE-2021-31920 MEDIUM

Istio before 1.8.6 and 1.9.x before 1.9.5 has a remotely exploitable vulnerability where an HTTP request path with multiple slashes or escaped slash characters (%2F or %5C) could potentially bypass an Istio authorization policy when path based authorization rules are used.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-706,

Products Affected

Vendor Product Version
istio istio *
CVE-2021-31921 MEDIUM

Istio before 1.8.6 and 1.9.x before 1.9.5 contains a remotely exploitable vulnerability where an external client can access unexpected services in the cluster, bypassing authorization checks, when a gateway is configured with AUTO_PASSTHROUGH routing configuration.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-862,

Products Affected

Vendor Product Version
istio istio *
CVE-2021-34824 MEDIUM

Istio (1.8.x, 1.9.0-1.9.5 and 1.10.0-1.10.1) contains a remotely exploitable vulnerability where credentials specified in the Gateway and DestinationRule credentialName field can be accessed from different namespaces.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
istio istio *
CVE-2021-39155 MEDIUM

Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. According to [RFC 4343](https://datatracker.ietf.org/doc/html/rfc4343), Istio authorization policy should compare the hostname in the HTTP Host header in a case insensitive way, but currently the comparison is case sensitive. The proxy will route the request hostname in a case-insensitive way which means the authorization policy could be bypassed. As an example, the user may have an authorization policy that rejects request with hostname "httpbin.foo" for some source IPs, but the attacker can bypass this by sending the request with hostname "Httpbin.Foo". Patches are available in Istio 1.11.1, Istio 1.10.4 and Istio 1.9.8. As a work around a Lua filter may be written to normalize Host header before the authorization check. This is similar to the Path normalization presented in the [Security Best Practices](https://istio.io/latest/docs/ops/best-practices/security/#case-normalization) guide.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 8.3 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L 2.8 5.5
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-178,CWE-178,CWE-863,

Products Affected

Vendor Product Version
istio istio *
CVE-2021-39156 MEDIUM

Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. Istio 1.11.0, 1.10.3 and below, and 1.9.7 and below contain a remotely exploitable vulnerability where an HTTP request with `#fragment` in the path may bypass Istio’s URI path based authorization policies. Patches are available in Istio 1.11.1, Istio 1.10.4 and Istio 1.9.8. As a work around a Lua filter may be written to normalize the path.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6
security-advisories@github.com 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N 2.8 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-863,CWE-706,

Products Affected

Vendor Product Version
istio istio *
CVE-2022-21679 HIGH

Istio is an open platform to connect, manage, and secure microservices. In Istio 1.12.0 and 1.12.1 The authorization policy with hosts and notHosts might be accidentally bypassed for ALLOW action or rejected unexpectedly for DENY action during the upgrade from 1.11 to 1.12.0/1.12.1. Istio 1.12 supports the hosts and notHosts fields in authorization policy with a new Envoy API shipped with the 1.12 data plane. A bug in the 1.12.0 and 1.12.1 incorrectly uses the new Envoy API with the 1.11 data plane. This will cause the hosts and notHosts fields to be always matched regardless of the actual value of the host header when mixing 1.12.0/1.12.1 control plane and 1.11 data plane. Users are advised to upgrade or to not mix the 1.12.0/1.12.1 control plane with 1.11 data plane if using hosts or notHosts field in authorization policy.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
security-advisories@github.com 6.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N 1.6 5.2

CVSS 2.0

Severity: HIGH

Problem Type: CWE-670,CWE-670,

Products Affected

Vendor Product Version
istio istio 1.12.1
istio istio 1.12.0
CVE-2022-21701 MEDIUM

Istio is an open platform to connect, manage, and secure microservices. In versions 1.12.0 and 1.12.1 Istio is vulnerable to a privilege escalation attack. Users who have `CREATE` permission for `gateways.gateway.networking.k8s.io` objects can escalate this privilege to create other resources that they may not have access to, such as `Pod`. This vulnerability impacts only an Alpha level feature, the Kubernetes Gateway API. This is not the same as the Istio Gateway type (gateways.networking.istio.io), which is not vulnerable. Users are advised to upgrade to resolve this issue. Users unable to upgrade should implement any of the following which will prevent this vulnerability: Remove the gateways.gateway.networking.k8s.io CustomResourceDefinition, set PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER=true environment variable in Istiod, or remove CREATE permissions for gateways.gateway.networking.k8s.io objects from untrusted users.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9
security-advisories@github.com 5.0 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L 1.6 3.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-863,CWE-863,

Products Affected

Vendor Product Version
istio istio 1.12.1
istio istio 1.12.0
CVE-2022-23635 MEDIUM

Istio is an open platform to connect, manage, and secure microservices. In affected versions the Istio control plane, `istiod`, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted message which results in the control plane crashing. This endpoint is served over TLS port 15012, but does not require any authentication from the attacker. For simple installations, Istiod is typically only reachable from within the cluster, limiting the blast radius. However, for some deployments, especially [multicluster](https://istio.io/latest/docs/setup/install/multicluster/primary-remote/) topologies, this port is exposed over the public internet. There are no effective workarounds, beyond upgrading. Limiting network access to Istiod to the minimal set of clients can help lessen the scope of the vulnerability to some extent.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
security-advisories@github.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,CWE-1284,

Products Affected

Vendor Product Version
istio istio *
CVE-2022-24726 MEDIUM

Istio is an open platform to connect, manage, and secure microservices. In affected versions the Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted message which results in the control plane crashing when the validating webhook for a cluster is exposed publicly. This endpoint is served over TLS port 15017, but does not require any authentication from the attacker. For simple installations, Istiod is typically only reachable from within the cluster, limiting the blast radius. However, for some deployments, especially [external istiod](https://istio.io/latest/docs/setup/install/external-controlplane/) topologies, this port is exposed over the public internet. This issue has been patched in versions 1.13.2, 1.12.5 and 1.11.8. Users are advised to upgrade. Users unable to upgrade should disable access to a validating webhook that is exposed to the public internet or restrict the set of IP addresses that can query it to a set of known, trusted entities.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
security-advisories@github.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,CWE-400,

Products Affected

Vendor Product Version
istio istio *
CVE-2022-31045 HIGH

Istio is an open platform to connect, manage, and secure microservices. In affected versions ill-formed headers sent to Envoy in certain configurations can lead to unexpected memory access resulting in undefined behavior or crashing. Users are most likely at risk if they have an Istio ingress Gateway exposed to external traffic. This vulnerability has been resolved in versions 1.12.8, 1.13.5, and 1.14.1. Users are advised to upgrade. There are no known workarounds for this issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
security-advisories@github.com 7.0 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H 2.2 4.7

CVSS 2.0

Severity: HIGH

Problem Type: CWE-125,

Products Affected

Vendor Product Version
istio istio 1.14.0
istio istio *
CVE-2022-39278

Istio is an open platform-independent service mesh that provides traffic management, policy enforcement, and telemetry collection. Prior to versions 1.15.2, 1.14.5, and 1.13.9, the Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted or oversized message which results in the control plane crashing when the Kubernetes validating or mutating webhook service is exposed publicly. This endpoint is served over TLS port 15017, but does not require any authentication from the attacker. For simple installations, Istiod is typically only reachable from within the cluster, limiting the blast radius. However, for some deployments, especially external istiod topologies, this port is exposed over the public internet. Versions 1.15.2, 1.14.5, and 1.13.9 contain patches for this issue. There are no effective workarounds, beyond upgrading. This bug is due to an error in `regexp.Compile` in Go.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
security-advisories@github.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
istio istio *
CVE-2022-39388

Istio is an open platform to connect, manage, and secure microservices. In versions on the 1.15.x branch prior to 1.15.3, a user can impersonate any workload identity within the service mesh if they have localhost access to the Istiod control plane. Version 1.15.3 contains a patch for this issue. There are no known workarounds.

Products Affected

Vendor Product Version
istio istio *
CVE-2023-44487

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
redhat cryostat 2.0
nodejs node.js *
redhat openshift_container_platform 4.0
redhat node_maintenance_operator -
cisco crosswork_data_gateway *
cisco ultra_cloud_core_-_policy_control_function 2024.01.0
nghttp2 nghttp2 *
jenkins jenkins *
redhat migration_toolkit_for_containers -
cisco nx-os *
grpc grpc *
cisco crosswork_situation_manager -
cisco telepresence_video_communication_server *
cisco ios_xr *
apache apisix *
f5 big-ip_application_acceleration_manager *
f5 nginx *
redhat process_automation 7.0
redhat integration_service_registry -
redhat migration_toolkit_for_applications 6.0
f5 big-ip_advanced_firewall_manager 17.1.0
cisco expressway *
envoyproxy envoy 1.27.0
redhat openshift_container_platform_assisted_installer -
redhat openshift_pipelines -
linkerd linkerd 2.13.1
linkerd linkerd 2.14.1
redhat decision_manager 7.0
akka http_server *
f5 big-ip_domain_name_system *
redhat ansible_automation_platform 2.0
microsoft windows_10_1607 *
ietf http 2.0
f5 big-ip_local_traffic_manager *
apache solr *
golang http2 *
microsoft windows_server_2022 -
cisco crosswork_data_gateway 5.0
f5 big-ip_ssl_orchestrator *
cisco secure_web_appliance_firmware *
redhat openshift_virtualization 4
f5 big-ip_application_acceleration_manager 17.1.0
microsoft .net *
cisco ultra_cloud_core_-_policy_control_function *
cisco connected_mobile_experiences *
traefik traefik 3.0.0
redhat cost_management -
redhat jboss_fuse 6.0.0
golang go *
redhat openshift_secondary_scheduler_operator -
redhat service_telemetry_framework 1.5
grpc grpc 1.57.0
linecorp armeria *
f5 big-ip_analytics 17.1.0
microsoft cbl-mariner *
apache tomcat 11.0.0
redhat openshift_data_science -
projectcontour contour *
redhat service_interconnect 1.0
redhat openstack_platform 17.1
linkerd linkerd 2.14.0
redhat run_once_duration_override_operator -
f5 big-ip_carrier-grade_nat 17.1.0
f5 big-ip_domain_name_system 17.1.0
redhat openshift_api_for_data_protection -
traefik traefik *
netty netty *
f5 big-ip_application_visibility_and_reporting 17.1.0
f5 big-ip_local_traffic_manager 17.1.0
redhat integration_camel_for_spring_boot -
redhat fence_agents_remediation_operator -
f5 big-ip_carrier-grade_nat *
microsoft windows_server_2019 -
debian debian_linux 11.0
microsoft windows_server_2016 -
f5 big-ip_global_traffic_manager *
f5 big-ip_ssl_orchestrator 17.1.0
redhat ceph_storage 5.0
redhat advanced_cluster_security 4.0
f5 nginx_plus r30
f5 big-ip_policy_enforcement_manager 17.1.0
f5 big-ip_next 20.0.1
cisco data_center_network_manager -
redhat machine_deletion_remediation_operator -
cisco crosswork_zero_touch_provisioning *
redhat jboss_fuse 7.0.0
redhat self_node_remediation_operator -
apple swiftnio_http/2 *
f5 big-ip_application_visibility_and_reporting *
amazon opensearch_data_prepper *
redhat migration_toolkit_for_virtualization -
f5 nginx_plus r29
redhat openshift_distributed_tracing -
microsoft visual_studio_2022 *
redhat jboss_enterprise_application_platform 6.0.0
cisco unified_contact_center_enterprise_-_live_data_server *
redhat openshift_service_mesh 2.0
facebook proxygen *
f5 big-ip_global_traffic_manager 17.1.0
redhat enterprise_linux 9.0
redhat quay 3.0.0
redhat integration_camel_k -
f5 big-ip_webaccelerator *
redhat build_of_optaplanner 8.0
redhat openshift -
redhat openstack_platform 16.2
golang networking *
microsoft windows_11_21h2 *
redhat jboss_a-mq 7
microsoft windows_11_22h2 *
f5 big-ip_analytics *
redhat build_of_quarkus -
apache tomcat *
cisco ultra_cloud_core_-_session_management_function *
f5 big-ip_advanced_firewall_manager *
cisco secure_dynamic_attributes_connector *
f5 big-ip_policy_enforcement_manager *
microsoft azure_kubernetes_service *
redhat network_observability_operator -
kazu-yamamoto http2 *
dena h2o *
f5 big-ip_link_controller 17.1.0
redhat jboss_data_grid 7.0.0
redhat logging_subsystem_for_red_hat_openshift -
cisco prime_network_registrar *
apache traffic_server *
redhat satellite 6.0
openresty openresty *
f5 big-ip_link_controller *
f5 big-ip_webaccelerator 17.1.0
f5 big-ip_advanced_web_application_firewall *
varnish_cache_project varnish_cache *
redhat openshift_serverless -
cisco firepower_threat_defense *
konghq kong_gateway *
netapp oncommand_insight -
cisco fog_director *
redhat support_for_spring_boot -
redhat jboss_a-mq_streams -
f5 big-ip_websafe *
cisco business_process_automation *
f5 big-ip_websafe 17.1.0
cisco prime_access_registrar *
f5 big-ip_application_security_manager *
linkerd linkerd 2.13.0
cisco prime_cable_provisioning *
cisco unified_contact_center_domain_manager -
cisco ios_xe *
redhat node_healthcheck_operator -
redhat openshift_gitops -
debian debian_linux 12.0
redhat advanced_cluster_management_for_kubernetes 2.0
redhat openshift_sandboxed_containers -
redhat jboss_core_services -
envoyproxy envoy 1.25.9
redhat openshift_dev_spaces -
redhat 3scale_api_management_platform 2.0
fedoraproject fedora 38
cisco prime_infrastructure *
debian debian_linux 10.0
redhat certification_for_red_hat_enterprise_linux 9.0
redhat cert-manager_operator_for_red_hat_openshift -
f5 big-ip_advanced_web_application_firewall 17.1.0
cisco enterprise_chat_and_email -
redhat openstack_platform 16.1
f5 nginx_ingress_controller *
redhat certification_for_red_hat_enterprise_linux 8.0
redhat single_sign-on 7.0
fedoraproject fedora 37
microsoft windows_10_21h2 *
caddyserver caddy *
f5 big-ip_application_security_manager 17.1.0
f5 big-ip_fraud_protection_service *
cisco unified_contact_center_management_portal -
redhat web_terminal -
redhat enterprise_linux 8.0
f5 big-ip_access_policy_manager *
netapp astra_control_center -
cisco unified_contact_center_enterprise -
cisco iot_field_network_director *
istio istio *
f5 big-ip_next_service_proxy_for_kubernetes *
envoyproxy envoy 1.24.10
f5 nginx_plus *
redhat jboss_enterprise_application_platform 7.0.0
eclipse jetty *
redhat openshift_developer_tools_and_services -
f5 big-ip_access_policy_manager 17.1.0
f5 big-ip_ddos_hybrid_defender 17.1.0
microsoft windows_10_22h2 *
redhat enterprise_linux 6.0
microsoft windows_10_1809 *
envoyproxy envoy 1.26.4
f5 big-ip_fraud_protection_service 17.1.0
microsoft asp.net_core *
cisco unified_attendant_console_advanced -
redhat advanced_cluster_security 3.0
f5 big-ip_ddos_hybrid_defender *
linkerd linkerd *
cisco ultra_cloud_core_-_serving_gateway_function *
cisco secure_malware_analytics *
CVE-2026-31837

Istio is an open platform to connect, manage, and secure microservices. Prior to 1.29.1, 1.28.5, and 1.27.8, a user of Istio is impacted if the JWKS resolver becomes unavailable or the fetch fails, exposing hardcoded defaults regardless of use of the RequestAuthentication resource. This vulnerability is fixed in 1.29.1, 1.28.5, and 1.27.8.

Products Affected

Vendor Product Version
istio istio *
CVE-2026-31838

Istio is an open platform to connect, manage, and secure microservices. Prior to 1.29.1, 1.28.5, and 1.27.8, a vulnerability in Envoy RBAC header matching could allow authorization policy bypass when policies rely on HTTP headers that may contain multiple values. An attacker could craft requests with multiple header values in a way that causes Envoy to evaluate the header differently than intended, potentially bypassing authorization checks. This may allow unauthorized requests to reach protected services when policies depend on such header-based matching conditions. This vulnerability is fixed in 1.29.1, 1.28.5, and 1.27.8.

Products Affected

Vendor Product Version
istio istio *