CVE-2021-39155
published 2021-08-24CVE-2021-39155: Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and…
PriorityP343high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
1.15%
63.1th percentile
Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. According to [RFC 4343](https://datatracker.ietf.org/doc/html/rfc4343), Istio authorization policy should compare the hostname in the HTTP Host header in a case insensitive way, but currently the comparison is case sensitive. The proxy will route the request hostname in a case-insensitive way which means the authorization policy could be bypassed. As an example, the user may have an authorization policy that rejects request with hostname "httpbin.foo" for some source IPs, but the attacker can bypass this by sending the request with hostname "Httpbin.Foo". Patches are available in Istio 1.11.1, Istio 1.10.4 and Istio 1.9.8. As a work around a Lua filter may be written to normalize Host header before the authorization check. This is similar to the Path normalization presented in the [Security Best Practices](https://istio.io/latest/docs/ops/best-practices/security/#case-normalization) guide.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| istio.io | istio | >= 0 < 1.9.8 | 1.9.8 |
| istio.io | istio | >= 1.10.0 < 1.10.4 | 1.10.4 |
| istio.io | istio | >= 1.11.0 < 1.11.1 | 1.11.1 |
| istio | istio | < 1.9.8 | 1.9.8 |
| istio | istio | <= 1.9.8 | — |
| istio | istio | — | — |
| istio | istio | — | — |
| istio | istio | >= 1.10.0 < 1.10.4 | 1.10.4 |
| istio | istio | >= 1.11.0 < 1.11.1 | 1.11.1 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vendor_redhat8.3HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Authorization Policy Bypass Due to Case Insensitive Host Comparison
ghsa·2021-08-30
CVE-2021-39155 [HIGH] CWE-178 Authorization Policy Bypass Due to Case Insensitive Host Comparison
Authorization Policy Bypass Due to Case Insensitive Host Comparison
### Impact
According to [RFC 4343](https://datatracker.ietf.org/doc/html/rfc4343), Istio authorization policy should compare the hostname in the HTTP Host header in a case insensitive way, but currently the comparison is case sensitive. The Envoy proxy will route the request hostname in a case-insensitive way which means the authorization policy could be bypassed.
As an example, the user may have an authorization policy that rejects request with hostname "httpbin.foo" for some source IPs, but the attacker can bypass this by sending the request with hostname "Httpbin.Foo".
### Patches
* Istio 1.11.1 and above
* Istio 1.10.4 and above
* Istio 1.9.8 and above
### Workarounds
A Lua filter may be written to normalize Host h
OSV
Authorization Policy Bypass Due to Case Insensitive Host Comparison
osv·2021-08-30
CVE-2021-39155 [HIGH] Authorization Policy Bypass Due to Case Insensitive Host Comparison
Authorization Policy Bypass Due to Case Insensitive Host Comparison
### Impact
According to [RFC 4343](https://datatracker.ietf.org/doc/html/rfc4343), Istio authorization policy should compare the hostname in the HTTP Host header in a case insensitive way, but currently the comparison is case sensitive. The Envoy proxy will route the request hostname in a case-insensitive way which means the authorization policy could be bypassed.
As an example, the user may have an authorization policy that rejects request with hostname "httpbin.foo" for some source IPs, but the attacker can bypass this by sending the request with hostname "Httpbin.Foo".
### Patches
* Istio 1.11.1 and above
* Istio 1.10.4 and above
* Istio 1.9.8 and above
### Workarounds
A Lua filter may be written to normalize Host h
Red Hat
istio/istio: HTTP request can bypass authorization mechanisms due to case insensitive host comparison
vendor_redhat·2021-08-24·CVSS 8.3
CVE-2021-39155 [HIGH] CWE-863 istio/istio: HTTP request can bypass authorization mechanisms due to case insensitive host comparison
istio/istio: HTTP request can bypass authorization mechanisms due to case insensitive host comparison
Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. According to [RFC 4343](https://datatracker.ietf.org/doc/html/rfc4343), Istio authorization policy should compare the hostname in the HTTP Host header in a case insensitive way, but currently the comparison is case sensitive. The proxy will route the request hostname in a case-insensitive way which means the authorization policy could be bypassed. As an example, the user may have an authorization policy that rejects request with hostname "httpbin.foo" for some source IPs, but the attacker can bypass this by sendin
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
CWE
Improper Validation of Unsafe Equivalence in Input
mitre_cwe
CWE-1289 Improper Validation of Unsafe Equivalence in Input
CWE-1289: Improper Validation of Unsafe Equivalence in Input
The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input is equivalent to a potentially-unsafe value.
Attackers can sometimes bypass input validation schemes by finding inputs that appear to be safe, but will be dangerous when processed at a lower layer or by a downstream component. For example, a simple XSS protection mechanism might try to validate that an input has no "" tags using case-sensitive matching, but since HTML is case-insensitive when processed by web browsers, an attacker could inject "" and trigger XSS.
Modes of Introduction:
Phase: Implementation
Common Consequences:
Scope: Other. Impact: Varies by Co
CWE
Incorrect Authorization
mitre_cwe
CWE-863 Incorrect Authorization
CWE-863: Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Background: An access control list (ACL) represents who/what has permissions to a given object. Different operating systems implement (ACLs) in different ways. In UNIX, there are three types of permissions: read, write, and execute. Users are divided into three classes for file access: owner, group owner, and all other users where each class has a separate set of rights. In Windows NT, there are four basic types of permissions for files: "No access", "Read access", "Change access", and "Full control". Windows NT extends the concept of three types of users in UNIX to include a list of users and groups al
CWE
Improper Handling of Case Sensitivity
mitre_cwe
CWE-178 Improper Handling of Case Sensitivity
CWE-178: Improper Handling of Case Sensitivity
The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.
Improperly handled case sensitive data can lead to several possible consequences, including: case-insensitive passwords reducing the size of the key space, making brute force attacks easier bypassing filters or access controls using alternate names multiple interpretation errors using alternate names.
Modes of Introduction:
Phase: Implementation
Common Consequences:
Scope: Access Control. Impact: Bypass Protection Mechanism.
Potential Mitigations:
[Architecture and Design] Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate n
2021-08-24
Published