Istio contains a remotely exploitable vulnerability. If path-based authorization rules are used, an HTTP request path with multiple slashes (%2F) or escaped slash characters (%5C) may bypass an Istio authorization policy. In this case, the authorization fails. This topic lists versions of Istio that contain the vulnerability and provides a solution.
For more information, see ISTIO-SECURITY-2021-005.
Affected versions
- The Istio version is earlier than 1.8.6.
- Path-based authorization rules are used, and an HTTP request path contains multiple slashes (%2F) or escaped slash characters (%5C).
Impact
If path-based authorization rules are used, an HTTP request path with multiple slashes (%2F) or escaped slash characters (%5C) may bypass an Istio authorization policy. In this case, the authorization fails.
Solution
Update the Istio version to 1.8.6 or later.