CVE-2021-31920

Medium

Istio before 1.8.6 and 1.9.x before 1.9.5 has a remotely exploitable vulnerability where an HTTP request path with multiple slashes or…

mitre·CWE-706·Published 2021-05-27

CVSS

6.5

EPSS

0.01

KEV

Exploits

cve.orgen

273 chars

Istio before 1.8.6 and 1.9.x before 1.9.5 has a remotely exploitable vulnerability where an HTTP request path with multiple slashes or escaped slash characters (%2F or %5C) could potentially bypass an Istio authorization policy when path based authorization rules are used.

NVDen

273 chars

GHSAen

273 chars

NVDes

358 chars

Istio versiones anteriores a 1.8.6 y versiones 1.9.x anteriores a 1.9.5 presenta una vulnerabilidad explotable de forma remota en la que una ruta de petición HTTP con múltiples barras o caracteres de barra de escape (%2F o %5C) podría omitir potencialmente una política de autorización de Istio cuando las reglas de autorización basadas en la ruta son usadas

CVSS metrics across sources

Version	Type	Source	Base	Exp	Impact	Vector
2.0	Primary	NVD	4.0	8.0	2.9	AV:N/AC:L/Au:S/C:P/I:N/A:N
3.1	Primary	NVD	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
3.1	Secondary	GHSA	6.5	—	—	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N