CVE-2021-39156

Description

### Impact Istio 1.11.0, 1.10.3 and below, and 1.9.7 and below contain a remotely exploitable vulnerability where an HTTP request with `#fragment` in the path may bypass Istio’s URI path based authorization policies. ### Patches * Istio 1.11.1 and above * Istio 1.10.4 and above * Istio 1.9.8 and above ### Workarounds A Lua filter may be written to normalize the path. This is similar to the Path normalization presented in the [Security Best Practices](https://istio.io/latest/docs/ops/best-practices/security/#case-normalization) guide. ### References More details can be found in the [Istio Security Bulletin](https://istio.io/latest/news/security/istio-security-2021-008) ### For more information If you have any questions or comments about this advisory, please email us at istio-security-vulnerability-reports@googlegroups.com

How to fix CVE-2021-39156

To remediate CVE-2021-39156, upgrade the affected package to a fixed version below.

• —upgrade to 1.9.8 or later

Is CVE-2021-39156 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 1.9.8

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-39156
• PATCHgithub.com/istio/istio
• WEBgithub.com/istio/istio/security/advisories/GHSA-hqxw-mm44-gc4r
• WEBistio.io/latest/news/security/istio-security-2021-008