cbcvebase.
CVE-2020-16844
published 2020-10-01

CVE-2020-16844: In Istio 1.5.0 though 1.5.8 and Istio 1.6.0 through 1.6.7, when users specify an AuthorizationPolicy resource with DENY actions using wildcard suffixes (e.g…

PriorityP335medium6.8CVSS 3.1
AVNACHPRLUINSUCHIHAN
EPSS
1.10%
61.6th percentile
In Istio 1.5.0 though 1.5.8 and Istio 1.6.0 through 1.6.7, when users specify an AuthorizationPolicy resource with DENY actions using wildcard suffixes (e.g. *-some-suffix) for source principals or namespace fields, callers will never be denied access, bypassing the intended policy.

Affected

4 ranges
VendorProductVersion rangeFixed in
istio.ioistio>= 1.5.0 < 1.5.91.5.9
istio.ioistio>= 1.6.0 < 1.6.81.6.8
istioistio1.5.0 – 1.5.8
istioistio1.6.0 – 1.6.7

CVSS provenance

nvdv3.16.8MEDIUMCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
nvdv2.04.9MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:N
vendor_redhat6.8MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.