Istio contains a remotely exploitable vulnerability. If path-based authorization rules are used, an HTTP request path with multiple slashes (%2F) or escaped slash characters (%5C) may bypass an Istio authorization policy. In this case, the authorization fails. This topic lists versions of Istio that contain the vulnerability and provides a solution.

For more information, see ISTIO-SECURITY-2021-005.

Affected versions

If the following conditions are met, your authorization policies become invalid because of the vulnerability:
  • The Istio version is earlier than 1.8.6.
  • Path-based authorization rules are used, and an HTTP request path contains multiple slashes (%2F) or escaped slash characters (%5C).

Impact

If path-based authorization rules are used, an HTTP request path with multiple slashes (%2F) or escaped slash characters (%5C) may bypass an Istio authorization policy. In this case, the authorization fails.

Solution

Update the Istio version to 1.8.6 or later.