CVE-2020-16844
published 2020-10-01CVE-2020-16844: In Istio 1.5.0 though 1.5.8 and Istio 1.6.0 through 1.6.7, when users specify an AuthorizationPolicy resource with DENY actions using wildcard suffixes (e.g…
PriorityP335medium6.8CVSS 3.1
AVNACHPRLUINSUCHIHAN
EPSS
1.10%
61.6th percentile
In Istio 1.5.0 though 1.5.8 and Istio 1.6.0 through 1.6.7, when users specify an AuthorizationPolicy resource with DENY actions using wildcard suffixes (e.g. *-some-suffix) for source principals or namespace fields, callers will never be denied access, bypassing the intended policy.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| istio.io | istio | >= 1.5.0 < 1.5.9 | 1.5.9 |
| istio.io | istio | >= 1.6.0 < 1.6.8 | 1.6.8 |
| istio | istio | 1.5.0 – 1.5.8 | — |
| istio | istio | 1.6.0 – 1.6.7 | — |
CVSS provenance
nvdv3.16.8MEDIUMCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
nvdv2.04.9MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:N
vendor_redhat6.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
istio: incorrect translation of DENY policy for TCP service
vendor_redhat·2020-08-11·CVSS 6.8
CVE-2020-16844 [MEDIUM] CWE-284 istio: incorrect translation of DENY policy for TCP service
istio: incorrect translation of DENY policy for TCP service
In Istio 1.5.0 though 1.5.8 and Istio 1.6.0 through 1.6.7, when users specify an AuthorizationPolicy resource with DENY actions using wildcard suffixes (e.g. *-some-suffix) for source principals or namespace fields, callers will never be denied access, bypassing the intended policy.
An insecure access control vulnerability was found in Istio. If an authorization policy is created for a TCP service that includes a DENY rule with a prefix wildcard, Istio translates this into an Envoy string match, incorrectly removing the wildcard. This flaw allows an attacker to subvert particular DENY rules, potentially gaining access to restricted resources.
Mitigation: In regards to an AuthorizationPolicy for a TCP service, if using a DENY ru
GHSA
Authorization bypass in Istio
ghsa·2022-02-15
CVE-2020-16844 [MEDIUM] CWE-284 Authorization bypass in Istio
Authorization bypass in Istio
In Istio 1.5.0 though 1.5.8 and Istio 1.6.0 through 1.6.7, when users specify an AuthorizationPolicy resource with DENY actions using wildcard suffixes (e.g. *-some-suffix) for source principals or namespace fields, callers will never be denied access, bypassing the intended policy.
### Specific Go Packages Affected
istio.io/istio/pilot/pkg/security/authz/model/matcher
OSV
Authorization bypass in Istio
osv·2022-02-15
CVE-2020-16844 [MEDIUM] Authorization bypass in Istio
Authorization bypass in Istio
In Istio 1.5.0 though 1.5.8 and Istio 1.6.0 through 1.6.7, when users specify an AuthorizationPolicy resource with DENY actions using wildcard suffixes (e.g. *-some-suffix) for source principals or namespace fields, callers will never be denied access, bypassing the intended policy.
### Specific Go Packages Affected
istio.io/istio/pilot/pkg/security/authz/model/matcher
No detection rules found.
No public exploits indexed.
2020-10-01
Published