gsd-2021-39155
Vulnerability from gsd
Modified
2023-12-13 01:23
Details
Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. According to [RFC 4343](https://datatracker.ietf.org/doc/html/rfc4343), Istio authorization policy should compare the hostname in the HTTP Host header in a case insensitive way, but currently the comparison is case sensitive. The proxy will route the request hostname in a case-insensitive way which means the authorization policy could be bypassed. As an example, the user may have an authorization policy that rejects request with hostname "httpbin.foo" for some source IPs, but the attacker can bypass this by sending the request with hostname "Httpbin.Foo". Patches are available in Istio 1.11.1, Istio 1.10.4 and Istio 1.9.8. As a work around a Lua filter may be written to normalize Host header before the authorization check. This is similar to the Path normalization presented in the [Security Best Practices](https://istio.io/latest/docs/ops/best-practices/security/#case-normalization) guide.
Aliases
Aliases
{ GSD: { alias: "CVE-2021-39155", description: "Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. According to [RFC 4343](https://datatracker.ietf.org/doc/html/rfc4343), Istio authorization policy should compare the hostname in the HTTP Host header in a case insensitive way, but currently the comparison is case sensitive. The proxy will route the request hostname in a case-insensitive way which means the authorization policy could be bypassed. As an example, the user may have an authorization policy that rejects request with hostname \"httpbin.foo\" for some source IPs, but the attacker can bypass this by sending the request with hostname \"Httpbin.Foo\". Patches are available in Istio 1.11.1, Istio 1.10.4 and Istio 1.9.8. As a work around a Lua filter may be written to normalize Host header before the authorization check. This is similar to the Path normalization presented in the [Security Best Practices](https://istio.io/latest/docs/ops/best-practices/security/#case-normalization) guide.", id: "GSD-2021-39155", references: [ "https://access.redhat.com/errata/RHSA-2021:3273", "https://access.redhat.com/errata/RHSA-2021:3272", "https://security.archlinux.org/CVE-2021-39155", ], }, gsd: { metadata: { exploitCode: "unknown", remediation: "unknown", reportConfidence: "confirmed", type: "vulnerability", }, osvSchema: { aliases: [ "CVE-2021-39155", ], details: "Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. According to [RFC 4343](https://datatracker.ietf.org/doc/html/rfc4343), Istio authorization policy should compare the hostname in the HTTP Host header in a case insensitive way, but currently the comparison is case sensitive. The proxy will route the request hostname in a case-insensitive way which means the authorization policy could be bypassed. As an example, the user may have an authorization policy that rejects request with hostname \"httpbin.foo\" for some source IPs, but the attacker can bypass this by sending the request with hostname \"Httpbin.Foo\". Patches are available in Istio 1.11.1, Istio 1.10.4 and Istio 1.9.8. As a work around a Lua filter may be written to normalize Host header before the authorization check. This is similar to the Path normalization presented in the [Security Best Practices](https://istio.io/latest/docs/ops/best-practices/security/#case-normalization) guide.", id: "GSD-2021-39155", modified: "2023-12-13T01:23:15.821563Z", schema_version: "1.4.0", }, }, namespaces: { "cve.org": { CVE_data_meta: { ASSIGNER: "security-advisories@github.com", ID: "CVE-2021-39155", STATE: "PUBLIC", TITLE: "Authorization Policy Bypass Due to Case Insensitive Host Comparison", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "istio", version: { version_data: [ { version_value: "<= 1.9.8", }, { version_value: ">= 1.10.0, < 1.10.4", }, { version_value: ">= 1.11.0, < 1.11.1", }, ], }, }, ], }, vendor_name: "istio", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. According to [RFC 4343](https://datatracker.ietf.org/doc/html/rfc4343), Istio authorization policy should compare the hostname in the HTTP Host header in a case insensitive way, but currently the comparison is case sensitive. The proxy will route the request hostname in a case-insensitive way which means the authorization policy could be bypassed. As an example, the user may have an authorization policy that rejects request with hostname \"httpbin.foo\" for some source IPs, but the attacker can bypass this by sending the request with hostname \"Httpbin.Foo\". Patches are available in Istio 1.11.1, Istio 1.10.4 and Istio 1.9.8. As a work around a Lua filter may be written to normalize Host header before the authorization check. This is similar to the Path normalization presented in the [Security Best Practices](https://istio.io/latest/docs/ops/best-practices/security/#case-normalization) guide.", }, ], }, impact: { cvss: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 8.3, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-178: Improper Handling of Case Sensitivity", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/istio/istio/security/advisories/GHSA-7774-7vr3-cc8j", refsource: "CONFIRM", url: "https://github.com/istio/istio/security/advisories/GHSA-7774-7vr3-cc8j", }, { name: "https://datatracker.ietf.org/doc/html/rfc4343", refsource: "MISC", url: "https://datatracker.ietf.org/doc/html/rfc4343", }, ], }, source: { advisory: "GHSA-7774-7vr3-cc8j", discovery: "UNKNOWN", }, }, "gitlab.com": { advisories: [ { affected_range: "<1.9.8||>=1.10.0 <1.10.4||=1.11.0", affected_versions: "All versions before 1.9.8, all versions starting from 1.10.0 before 1.10.4, version 1.11.0", cvss_v2: "AV:N/AC:L/Au:N/C:P/I:N/A:N", cvss_v3: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", cwe_ids: [ "CWE-1035", "CWE-178", "CWE-937", ], date: "2021-12-13", description: "Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. According to [RFC 4343](https://datatracker.ietf.org/doc/html/rfc4343), Istio authorization policy should compare the hostname in the HTTP Host header in a case insensitive way, but currently the comparison is case sensitive. The proxy will route the request hostname in a case-insensitive way which means the authorization policy could be bypassed. As an example, the user may have an authorization policy that rejects request with hostname \"httpbin.foo\" for some source IPs, but the attacker can bypass this by sending the request with hostname \"Httpbin.Foo\". Patches are available in Istio 1.11.1, Istio 1.10.4 and Istio 1.9.8. As a work around a Lua filter may be written to normalize Host header before the authorization check. This is similar to the Path normalization presented in the Security Best Practices guide.", fixed_versions: [ "1.9.8", "1.10.4", "1.11.1", ], identifier: "CVE-2021-39155", identifiers: [ "GHSA-7774-7vr3-cc8j", "CVE-2021-39155", ], not_impacted: "All versions starting from 1.9.8 before 1.10.0, all versions starting from 1.10.4 before 1.11.0, all versions after 1.11.0", package_slug: "go/Istio.io/isio", pubdate: "2021-08-30", solution: "Upgrade to versions 1.9.8, 1.10.4, 1.11.1 or above.", title: "Improper Handling of Case Sensitivity", urls: [ "https://github.com/istio/istio/security/advisories/GHSA-7774-7vr3-cc8j", "https://nvd.nist.gov/vuln/detail/CVE-2021-39155", "https://github.com/advisories/GHSA-7774-7vr3-cc8j", ], uuid: "428a970c-be4e-48ee-9567-0f000fbc29ad", }, { affected_range: "<1.9.8 || >=1.10.0 <1.10.4 || >=1.11.0 <1.11.1", affected_versions: "All versions before 1.9.8, all versions starting from 1.10.0 before 1.10.4, all versions starting from 1.11.0 before 1.11.1", cvss_v2: "AV:N/AC:L/Au:N/C:P/I:N/A:N", cvss_v3: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", cwe_ids: [ "CWE-1035", "CWE-937", ], date: "2021-08-31", description: "Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. According to [RFC ](https://datatracker.ietf.org/doc/html/rfc4343), Istio authorization policy should compare the hostname in the HTTP Host header in a case insensitive way, but currently the comparison is case sensitive. The proxy will route the request hostname in a case-insensitive way which means the authorization policy could be bypassed. As an example, the user may have an authorization policy that rejects request with hostname \"httpbin.foo\" for some source IPs, but the attacker can bypass this by sending the request with hostname \"Httpbin.Foo\". Patches are available in Istio, Istio and Istio As a work around a Lua filter may be written to normalize Host header before the authorization check. This is similar to the Path normalization presented in the [Security Best Practices] (https://istio.io/latest/docs/ops/best-practices/security/#case-normalization) guide.", fixed_versions: [ "1.9.8", "1.10.4", "1.11.1", ], identifier: "CVE-2021-39155", identifiers: [ "CVE-2021-39155", "GHSA-7774-7vr3-cc8j", ], not_impacted: "All versions starting from 1.9.8 before 1.10.0, all versions starting from 1.10.4 before 1.11.0 all versions starting from 1.11.1", package_slug: "go/github.com/istio/istio", pubdate: "2021-08-24", solution: "Upgrade to version 1.9.8, 1.10.4, 1.11.1 or above.", title: "Improper Handling of Case Sensitivity", urls: [ "https://nvd.nist.gov/vuln/detail/CVE-2021-39155", ], uuid: "8edf8fa9-1927-4899-90f0-d2510c9e66e6", versions: [ { commit: { sha: "6df2102bcdcdb04f9b6d9b1264a67196c48620ef", tags: [ "1.10.0", ], timestamp: "20210514163357", }, number: "v1.10.0", }, { commit: { sha: "e57d02ff982c8fb4c30a6bd4a9095a186abc83eb", tags: [ "1.11.1", ], timestamp: "20210810222043", }, number: "v1.11.1", }, { commit: { sha: "1a8d4bcd9aa3b57a0a70f05c155a00882de24770", tags: [ "1.11.0", ], timestamp: "20210812154527", }, number: "v1.11.0", }, { commit: { sha: "92c1e77c09cd8def47a2044375c15ea28a69df9d", tags: [ "1.10.4", ], timestamp: "20210820061852", }, number: "v1.10.4", }, { commit: { sha: "1b85babc05270d8baa0254b7a38acc1aad3e751c", tags: [ "1.9.8", ], timestamp: "20210820153838", }, number: "v1.9.8", }, ], }, { affected_range: "<1.9.8||>=1.10.0 <1.10.4||=1.11.0", affected_versions: "All versions before 1.9.8, all versions starting from 1.10.0 before 1.10.4, version 1.11.0", cvss_v2: "AV:N/AC:L/Au:N/C:P/I:N/A:N", cvss_v3: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", cwe_ids: [ "CWE-1035", "CWE-178", "CWE-937", ], date: "2022-07-16", description: "Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. According to [RFC 4343](https://datatracker.ietf.org/doc/html/rfc4343), Istio authorization policy should compare the hostname in the HTTP Host header in a case insensitive way, but currently the comparison is case sensitive. The proxy will route the request hostname in a case-insensitive way which means the authorization policy could be bypassed. As an example, the user may have an authorization policy that rejects request with hostname \"httpbin.foo\" for some source IPs, but the attacker can bypass this by sending the request with hostname \"Httpbin.Foo\". Patches are available in Istio 1.11.1, Istio 1.10.4 and Istio 1.9.8. As a work around a Lua filter may be written to normalize Host header before the authorization check. This is similar to the Path normalization presented in the [Security Best Practices](https://istio.io/latest/docs/ops/best-practices/security/#case-normalization) guide.", fixed_versions: [ "1.9.8", "1.10.4", "1.11.1", ], identifier: "CVE-2021-39155", identifiers: [ "GHSA-7774-7vr3-cc8j", "CVE-2021-39155", ], not_impacted: "All versions starting from 1.9.8 before 1.10.0, all versions starting from 1.10.4 before 1.11.0, all versions after 1.11.0", package_slug: "go/istio.io/istio", pubdate: "2021-08-30", solution: "Upgrade to versions 1.9.8, 1.10.4, 1.11.1 or above.", title: "Improper Handling of Case Sensitivity", urls: [ "https://github.com/istio/istio/security/advisories/GHSA-7774-7vr3-cc8j", "https://nvd.nist.gov/vuln/detail/CVE-2021-39155", "https://datatracker.ietf.org/doc/html/rfc4343", "https://github.com/advisories/GHSA-7774-7vr3-cc8j", ], uuid: "59369ee0-2c77-4102-abb1-1372691bfff8", }, ], }, "nvd.nist.gov": { cve: { configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*", matchCriteriaId: "2FBF48C6-1E39-4692-A652-27E7DCDC81BC", versionEndExcluding: "1.9.8", vulnerable: true, }, { criteria: "cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*", matchCriteriaId: "59BD6BCF-15CE-49D9-B487-EEA603D3D5CC", versionEndExcluding: "1.10.4", versionStartIncluding: "1.10.0", vulnerable: true, }, { criteria: "cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*", matchCriteriaId: "886DF572-26C9-4BC9-875F-F043D445C346", versionEndExcluding: "1.11.1", versionStartIncluding: "1.11.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], descriptions: [ { lang: "en", value: "Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. According to [RFC 4343](https://datatracker.ietf.org/doc/html/rfc4343), Istio authorization policy should compare the hostname in the HTTP Host header in a case insensitive way, but currently the comparison is case sensitive. The proxy will route the request hostname in a case-insensitive way which means the authorization policy could be bypassed. As an example, the user may have an authorization policy that rejects request with hostname \"httpbin.foo\" for some source IPs, but the attacker can bypass this by sending the request with hostname \"Httpbin.Foo\". Patches are available in Istio 1.11.1, Istio 1.10.4 and Istio 1.9.8. As a work around a Lua filter may be written to normalize Host header before the authorization check. This is similar to the Path normalization presented in the [Security Best Practices](https://istio.io/latest/docs/ops/best-practices/security/#case-normalization) guide.", }, { lang: "es", value: "Istio es una plataforma de cĂłdigo abierto que proporciona una forma uniforme de integrar microservicios, administrar el flujo de tráfico entre microservicios, aplicar polĂticas y agregar datos de telemetrĂa. SegĂşn [RFC 4343](https://datatracker.ietf.org/doc/html/rfc4343), la polĂtica de autorizaciĂłn de Istio deberĂa comparar el nombre de host en el encabezado HTTP Host de forma no sensible a mayĂşsculas y minĂşsculas, pero actualmente la comparaciĂłn es sensible a mayĂşsculas y minĂşsculas. El proxy enrutará el nombre de host de la peticiĂłn de forma no sensible a mayĂşsculas y minĂşsculas, lo que significa que la polĂtica de autorizaciĂłn podrĂa ser omitida. Por ejemplo, el usuario puede tener una polĂtica de autorizaciĂłn que rechace peticiones con el nombre de host \"httpbin.foo\" para algunas IPs de origen, pero el atacante puede omitir esto mediante el envĂo de la peticiĂłn con el nombre de host \"Httpbin.Foo\". Los parches están disponibles en Istio versiĂłn 1.11.1, Istio versiĂłn 1.10.4 e Istio versiĂłn 1.9.8. Como soluciĂłn, puede escribirse un filtro Lua para normalizar el encabezado Host antes de la comprobaciĂłn de la autorizaciĂłn. Esto es similar a la normalizaciĂłn de la Ruta presentada en la guĂa [Security Best Practices](https://istio.io/latest/docs/ops/best-practices/security/#case-normalization).", }, ], id: "CVE-2021-39155", lastModified: "2024-02-21T21:01:31.320", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 8.3, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.5, source: "security-advisories@github.com", type: "Secondary", }, ], }, published: "2021-08-24T23:15:07.093", references: [ { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://datatracker.ietf.org/doc/html/rfc4343", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://github.com/istio/istio/security/advisories/GHSA-7774-7vr3-cc8j", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-178", }, { lang: "en", value: "CWE-863", }, ], source: "nvd@nist.gov", type: "Primary", }, { description: [ { lang: "en", value: "CWE-178", }, ], source: "security-advisories@github.com", type: "Secondary", }, ], }, }, }, }
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.