Vulnerability-Lookup

CVE-2021-39155 (GCVE-0-2021-39155)

Vulnerability from cvelistv5 – Published: 2021-08-24 22:25 – Updated: 2024-08-04 01:58

Title

Authorization Policy Bypass Due to Case Insensitive Host Comparison

Summary

Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. According to [RFC 4343](https://datatracker.ietf.org/doc/html/rfc4343), Istio authorization policy should compare the hostname in the HTTP Host header in a case insensitive way, but currently the comparison is case sensitive. The proxy will route the request hostname in a case-insensitive way which means the authorization policy could be bypassed. As an example, the user may have an authorization policy that rejects request with hostname "httpbin.foo" for some source IPs, but the attacker can bypass this by sending the request with hostname "Httpbin.Foo". Patches are available in Istio 1.11.1, Istio 1.10.4 and Istio 1.9.8. As a work around a Lua filter may be written to normalize Host header before the authorization check. This is similar to the Path normalization presented in the [Security Best Practices](https://istio.io/latest/docs/ops/best-practices/security/#case-normalization) guide.

Severity ?

8.3 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L

CWE

CWE-178 - Improper Handling of Case Sensitivity

Assigner

GitHub_M

References

URL

	Vendor	Product	Version
	istio	istio	Affected: <= 1.9.8 Affected: >= 1.10.0, < 1.10.4 Affected: >= 1.11.0, < 1.11.1

GSD-2021-39155

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2021-39155

Aliases

CVE-2021-39155

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-39155",
    "description": "Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. According to [RFC 4343](https://datatracker.ietf.org/doc/html/rfc4343), Istio authorization policy should compare the hostname in the HTTP Host header in a case insensitive way, but currently the comparison is case sensitive. The proxy will route the request hostname in a case-insensitive way which means the authorization policy could be bypassed. As an example, the user may have an authorization policy that rejects request with hostname \"httpbin.foo\" for some source IPs, but the attacker can bypass this by sending the request with hostname \"Httpbin.Foo\". Patches are available in Istio 1.11.1, Istio 1.10.4 and Istio 1.9.8. As a work around a Lua filter may be written to normalize Host header before the authorization check. This is similar to the Path normalization presented in the [Security Best Practices](https://istio.io/latest/docs/ops/best-practices/security/#case-normalization) guide.",
    "id": "GSD-2021-39155",
    "references": [
      "https://access.redhat.com/errata/RHSA-2021:3273",
      "https://access.redhat.com/errata/RHSA-2021:3272",
      "https://security.archlinux.org/CVE-2021-39155"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-39155"
      ],
      "details": "Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. According to [RFC 4343](https://datatracker.ietf.org/doc/html/rfc4343), Istio authorization policy should compare the hostname in the HTTP Host header in a case insensitive way, but currently the comparison is case sensitive. The proxy will route the request hostname in a case-insensitive way which means the authorization policy could be bypassed. As an example, the user may have an authorization policy that rejects request with hostname \"httpbin.foo\" for some source IPs, but the attacker can bypass this by sending the request with hostname \"Httpbin.Foo\". Patches are available in Istio 1.11.1, Istio 1.10.4 and Istio 1.9.8. As a work around a Lua filter may be written to normalize Host header before the authorization check. This is similar to the Path normalization presented in the [Security Best Practices](https://istio.io/latest/docs/ops/best-practices/security/#case-normalization) guide.",
      "id": "GSD-2021-39155",
      "modified": "2023-12-13T01:23:15.821563Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2021-39155",
        "STATE": "PUBLIC",
        "TITLE": "Authorization Policy Bypass Due to Case Insensitive Host Comparison"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "istio",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c= 1.9.8"
                        },
                        {
                          "version_value": "\u003e= 1.10.0, \u003c 1.10.4"
                        },
                        {
                          "version_value": "\u003e= 1.11.0, \u003c 1.11.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "istio"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. According to [RFC 4343](https://datatracker.ietf.org/doc/html/rfc4343), Istio authorization policy should compare the hostname in the HTTP Host header in a case insensitive way, but currently the comparison is case sensitive. The proxy will route the request hostname in a case-insensitive way which means the authorization policy could be bypassed. As an example, the user may have an authorization policy that rejects request with hostname \"httpbin.foo\" for some source IPs, but the attacker can bypass this by sending the request with hostname \"Httpbin.Foo\". Patches are available in Istio 1.11.1, Istio 1.10.4 and Istio 1.9.8. As a work around a Lua filter may be written to normalize Host header before the authorization check. This is similar to the Path normalization presented in the [Security Best Practices](https://istio.io/latest/docs/ops/best-practices/security/#case-normalization) guide."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 8.3,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-178: Improper Handling of Case Sensitivity"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/istio/istio/security/advisories/GHSA-7774-7vr3-cc8j",
            "refsource": "CONFIRM",
            "url": "https://github.com/istio/istio/security/advisories/GHSA-7774-7vr3-cc8j"
          },
          {
            "name": "https://datatracker.ietf.org/doc/html/rfc4343",
            "refsource": "MISC",
            "url": "https://datatracker.ietf.org/doc/html/rfc4343"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-7774-7vr3-cc8j",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c1.9.8||\u003e=1.10.0 \u003c1.10.4||=1.11.0",
          "affected_versions": "All versions before 1.9.8, all versions starting from 1.10.0 before 1.10.4, version 1.11.0",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-178",
            "CWE-937"
          ],
          "date": "2021-12-13",
          "description": "Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. According to [RFC 4343](https://datatracker.ietf.org/doc/html/rfc4343), Istio authorization policy should compare the hostname in the HTTP Host header in a case insensitive way, but currently the comparison is case sensitive. The proxy will route the request hostname in a case-insensitive way which means the authorization policy could be bypassed. As an example, the user may have an authorization policy that rejects request with hostname \"httpbin.foo\" for some source IPs, but the attacker can bypass this by sending the request with hostname \"Httpbin.Foo\". Patches are available in Istio 1.11.1, Istio 1.10.4 and Istio 1.9.8. As a work around a Lua filter may be written to normalize Host header before the authorization check. This is similar to the Path normalization presented in the Security Best Practices guide.",
          "fixed_versions": [
            "1.9.8",
            "1.10.4",
            "1.11.1"
          ],
          "identifier": "CVE-2021-39155",
          "identifiers": [
            "GHSA-7774-7vr3-cc8j",
            "CVE-2021-39155"
          ],
          "not_impacted": "All versions starting from 1.9.8 before 1.10.0, all versions starting from 1.10.4 before 1.11.0, all versions after 1.11.0",
          "package_slug": "go/Istio.io/isio",
          "pubdate": "2021-08-30",
          "solution": "Upgrade to versions 1.9.8, 1.10.4, 1.11.1 or above.",
          "title": "Improper Handling of Case Sensitivity",
          "urls": [
            "https://github.com/istio/istio/security/advisories/GHSA-7774-7vr3-cc8j",
            "https://nvd.nist.gov/vuln/detail/CVE-2021-39155",
            "https://github.com/advisories/GHSA-7774-7vr3-cc8j"
          ],
          "uuid": "428a970c-be4e-48ee-9567-0f000fbc29ad"
        },
        {
          "affected_range": "\u003c1.9.8 || \u003e=1.10.0 \u003c1.10.4 || \u003e=1.11.0 \u003c1.11.1",
          "affected_versions": "All versions before 1.9.8, all versions starting from 1.10.0 before 1.10.4, all versions starting from 1.11.0 before 1.11.1",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2021-08-31",
          "description": "Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. According to [RFC ](https://datatracker.ietf.org/doc/html/rfc4343), Istio authorization policy should compare the hostname in the HTTP Host header in a case insensitive way, but currently the comparison is case sensitive. The proxy will route the request hostname in a case-insensitive way which means the authorization policy could be bypassed. As an example, the user may have an authorization policy that rejects request with hostname \"httpbin.foo\" for some source IPs, but the attacker can bypass this by sending the request with hostname \"Httpbin.Foo\". Patches are available in Istio, Istio and Istio As a work around a Lua filter may be written to normalize Host header before the authorization check. This is similar to the Path normalization presented in the [Security Best Practices] (https://istio.io/latest/docs/ops/best-practices/security/#case-normalization) guide.",
          "fixed_versions": [
            "1.9.8",
            "1.10.4",
            "1.11.1"
          ],
          "identifier": "CVE-2021-39155",
          "identifiers": [
            "CVE-2021-39155",
            "GHSA-7774-7vr3-cc8j"
          ],
          "not_impacted": "All versions starting from 1.9.8 before 1.10.0, all versions starting from 1.10.4 before 1.11.0 all versions starting from 1.11.1",
          "package_slug": "go/github.com/istio/istio",
          "pubdate": "2021-08-24",
          "solution": "Upgrade to version 1.9.8, 1.10.4, 1.11.1 or above.",
          "title": "Improper Handling of Case Sensitivity",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-39155"
          ],
          "uuid": "8edf8fa9-1927-4899-90f0-d2510c9e66e6",
          "versions": [
            {
              "commit": {
                "sha": "6df2102bcdcdb04f9b6d9b1264a67196c48620ef",
                "tags": [
                  "1.10.0"
                ],
                "timestamp": "20210514163357"
              },
              "number": "v1.10.0"
            },
            {
              "commit": {
                "sha": "e57d02ff982c8fb4c30a6bd4a9095a186abc83eb",
                "tags": [
                  "1.11.1"
                ],
                "timestamp": "20210810222043"
              },
              "number": "v1.11.1"
            },
            {
              "commit": {
                "sha": "1a8d4bcd9aa3b57a0a70f05c155a00882de24770",
                "tags": [
                  "1.11.0"
                ],
                "timestamp": "20210812154527"
              },
              "number": "v1.11.0"
            },
            {
              "commit": {
                "sha": "92c1e77c09cd8def47a2044375c15ea28a69df9d",
                "tags": [
                  "1.10.4"
                ],
                "timestamp": "20210820061852"
              },
              "number": "v1.10.4"
            },
            {
              "commit": {
                "sha": "1b85babc05270d8baa0254b7a38acc1aad3e751c",
                "tags": [
                  "1.9.8"
                ],
                "timestamp": "20210820153838"
              },
              "number": "v1.9.8"
            }
          ]
        },
        {
          "affected_range": "\u003c1.9.8||\u003e=1.10.0 \u003c1.10.4||=1.11.0",
          "affected_versions": "All versions before 1.9.8, all versions starting from 1.10.0 before 1.10.4, version 1.11.0",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-178",
            "CWE-937"
          ],
          "date": "2022-07-16",
          "description": "Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. According to [RFC 4343](https://datatracker.ietf.org/doc/html/rfc4343), Istio authorization policy should compare the hostname in the HTTP Host header in a case insensitive way, but currently the comparison is case sensitive. The proxy will route the request hostname in a case-insensitive way which means the authorization policy could be bypassed. As an example, the user may have an authorization policy that rejects request with hostname \"httpbin.foo\" for some source IPs, but the attacker can bypass this by sending the request with hostname \"Httpbin.Foo\". Patches are available in Istio 1.11.1, Istio 1.10.4 and Istio 1.9.8. As a work around a Lua filter may be written to normalize Host header before the authorization check. This is similar to the Path normalization presented in the [Security Best Practices](https://istio.io/latest/docs/ops/best-practices/security/#case-normalization) guide.",
          "fixed_versions": [
            "1.9.8",
            "1.10.4",
            "1.11.1"
          ],
          "identifier": "CVE-2021-39155",
          "identifiers": [
            "GHSA-7774-7vr3-cc8j",
            "CVE-2021-39155"
          ],
          "not_impacted": "All versions starting from 1.9.8 before 1.10.0, all versions starting from 1.10.4 before 1.11.0, all versions after 1.11.0",
          "package_slug": "go/istio.io/istio",
          "pubdate": "2021-08-30",
          "solution": "Upgrade to versions 1.9.8, 1.10.4, 1.11.1 or above.",
          "title": "Improper Handling of Case Sensitivity",
          "urls": [
            "https://github.com/istio/istio/security/advisories/GHSA-7774-7vr3-cc8j",
            "https://nvd.nist.gov/vuln/detail/CVE-2021-39155",
            "https://datatracker.ietf.org/doc/html/rfc4343",
            "https://github.com/advisories/GHSA-7774-7vr3-cc8j"
          ],
          "uuid": "59369ee0-2c77-4102-abb1-1372691bfff8"
        }
      ]
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "2FBF48C6-1E39-4692-A652-27E7DCDC81BC",
                    "versionEndExcluding": "1.9.8",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "59BD6BCF-15CE-49D9-B487-EEA603D3D5CC",
                    "versionEndExcluding": "1.10.4",
                    "versionStartIncluding": "1.10.0",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "886DF572-26C9-4BC9-875F-F043D445C346",
                    "versionEndExcluding": "1.11.1",
                    "versionStartIncluding": "1.11.0",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. According to [RFC 4343](https://datatracker.ietf.org/doc/html/rfc4343), Istio authorization policy should compare the hostname in the HTTP Host header in a case insensitive way, but currently the comparison is case sensitive. The proxy will route the request hostname in a case-insensitive way which means the authorization policy could be bypassed. As an example, the user may have an authorization policy that rejects request with hostname \"httpbin.foo\" for some source IPs, but the attacker can bypass this by sending the request with hostname \"Httpbin.Foo\". Patches are available in Istio 1.11.1, Istio 1.10.4 and Istio 1.9.8. As a work around a Lua filter may be written to normalize Host header before the authorization check. This is similar to the Path normalization presented in the [Security Best Practices](https://istio.io/latest/docs/ops/best-practices/security/#case-normalization) guide."
          },
          {
            "lang": "es",
            "value": "Istio es una plataforma de c\u00f3digo abierto que proporciona una forma uniforme de integrar microservicios, administrar el flujo de tr\u00e1fico entre microservicios, aplicar pol\u00edticas y agregar datos de telemetr\u00eda. Seg\u00fan [RFC 4343](https://datatracker.ietf.org/doc/html/rfc4343), la pol\u00edtica de autorizaci\u00f3n de Istio deber\u00eda comparar el nombre de host en el encabezado HTTP Host de forma no sensible a may\u00fasculas y min\u00fasculas, pero actualmente la comparaci\u00f3n es sensible a may\u00fasculas y min\u00fasculas. El proxy enrutar\u00e1 el nombre de host de la petici\u00f3n de forma no sensible a may\u00fasculas y min\u00fasculas, lo que significa que la pol\u00edtica de autorizaci\u00f3n podr\u00eda ser omitida. Por ejemplo, el usuario puede tener una pol\u00edtica de autorizaci\u00f3n que rechace peticiones con el nombre de host \"httpbin.foo\" para algunas IPs de origen, pero el atacante puede omitir esto mediante el env\u00edo de la petici\u00f3n con el nombre de host \"Httpbin.Foo\". Los parches est\u00e1n disponibles en Istio versi\u00f3n 1.11.1, Istio versi\u00f3n 1.10.4 e Istio versi\u00f3n 1.9.8. Como soluci\u00f3n, puede escribirse un filtro Lua para normalizar el encabezado Host antes de la comprobaci\u00f3n de la autorizaci\u00f3n. Esto es similar a la normalizaci\u00f3n de la Ruta presentada en la gu\u00eda [Security Best Practices](https://istio.io/latest/docs/ops/best-practices/security/#case-normalization)."
          }
        ],
        "id": "CVE-2021-39155",
        "lastModified": "2024-02-21T21:01:31.320",
        "metrics": {
          "cvssMetricV2": [
            {
              "acInsufInfo": false,
              "baseSeverity": "MEDIUM",
              "cvssData": {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "availabilityImpact": "NONE",
                "baseScore": 5.0,
                "confidentialityImpact": "PARTIAL",
                "integrityImpact": "NONE",
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
                "version": "2.0"
              },
              "exploitabilityScore": 10.0,
              "impactScore": 2.9,
              "obtainAllPrivilege": false,
              "obtainOtherPrivilege": false,
              "obtainUserPrivilege": false,
              "source": "nvd@nist.gov",
              "type": "Primary",
              "userInteractionRequired": false
            }
          ],
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 3.9,
              "impactScore": 3.6,
              "source": "nvd@nist.gov",
              "type": "Primary"
            },
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L",
                "version": "3.1"
              },
              "exploitabilityScore": 2.8,
              "impactScore": 5.5,
              "source": "security-advisories@github.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2021-08-24T23:15:07.093",
        "references": [
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Third Party Advisory"
            ],
            "url": "https://datatracker.ietf.org/doc/html/rfc4343"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Third Party Advisory"
            ],
            "url": "https://github.com/istio/istio/security/advisories/GHSA-7774-7vr3-cc8j"
          }
        ],
        "sourceIdentifier": "security-advisories@github.com",
        "vulnStatus": "Analyzed",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-178"
              },
              {
                "lang": "en",
                "value": "CWE-863"
              }
            ],
            "source": "nvd@nist.gov",
            "type": "Primary"
          },
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-178"
              }
            ],
            "source": "security-advisories@github.com",
            "type": "Secondary"
          }
        ]
      }
    }
  }
}

GHSA-7774-7VR3-CC8J

Vulnerability from github – Published: 2021-08-30 16:15 – Updated: 2021-12-13 13:09

Summary

Authorization Policy Bypass Due to Case Insensitive Host Comparison

Details

Impact

According to RFC 4343, Istio authorization policy should compare the hostname in the HTTP Host header in a case insensitive way, but currently the comparison is case sensitive. The Envoy proxy will route the request hostname in a case-insensitive way which means the authorization policy could be bypassed.

As an example, the user may have an authorization policy that rejects request with hostname "httpbin.foo" for some source IPs, but the attacker can bypass this by sending the request with hostname "Httpbin.Foo".

Patches

Istio 1.11.1 and above
Istio 1.10.4 and above
Istio 1.9.8 and above

Workarounds

A Lua filter may be written to normalize Host header before the authorization check. This is similar to the Path normalization presented in the Security Best Practices guide.

References

More details can be found in the Istio Security Bulletin.

For more information

If you have any questions or comments about this advisory, please email us at istio-security-vulnerability-reports@googlegroups.com

Severity ?

8.3 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "istio.io/istio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.9.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "istio.io/istio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.10.0"
            },
            {
              "fixed": "1.10.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "istio.io/istio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.11.0"
            },
            {
              "fixed": "1.11.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.11.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2021-39155"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-178"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-25T22:29:16Z",
    "nvd_published_at": "2021-08-24T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nAccording to [RFC 4343](https://datatracker.ietf.org/doc/html/rfc4343), Istio authorization policy should compare the hostname in the HTTP Host header in a case insensitive way, but currently the comparison is case sensitive.  The Envoy proxy will route the request hostname in a case-insensitive way which means the authorization policy could be bypassed.\n \nAs an example, the user may have an authorization policy that rejects request with hostname \"httpbin.foo\" for some source IPs, but the attacker can bypass this by sending the request with hostname \"Httpbin.Foo\".\n\n### Patches\n* Istio 1.11.1 and above\n* Istio 1.10.4 and above\n* Istio 1.9.8 and above\n\n### Workarounds\nA Lua filter may be written to normalize Host header before the authorization check.  This is similar to the Path normalization presented in the [Security Best Practices](https://istio.io/latest/docs/ops/best-practices/security/#case-normalization) guide.\n\n### References\nMore details can be found in the [Istio Security Bulletin](https://istio.io/latest/news/security/istio-security-2021-008).\n\n### For more information\nIf you have any questions or comments about this advisory, please email us at istio-security-vulnerability-reports@googlegroups.com\n",
  "id": "GHSA-7774-7vr3-cc8j",
  "modified": "2021-12-13T13:09:54Z",
  "published": "2021-08-30T16:15:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/istio/istio/security/advisories/GHSA-7774-7vr3-cc8j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39155"
    },
    {
      "type": "WEB",
      "url": "https://github.com/istio/istio/commit/084b417a486dbe9b9024d4812877016a484572b1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/istio/istio/commit/76ed51413ddd2a7fa253a368ab20a9cec5fb1cbe"
    },
    {
      "type": "WEB",
      "url": "https://github.com/istio/istio/commit/90b00bdf891e6c770cb3235c14a9b1fda96cc7c5"
    },
    {
      "type": "WEB",
      "url": "https://datatracker.ietf.org/doc/html/rfc4343"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/istio/istio"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Authorization Policy Bypass Due to Case Insensitive Host Comparison"
}

FKIE_CVE-2021-39155

Vulnerability from fkie_nvd - Published: 2021-08-24 23:15 - Updated: 2024-11-21 06:18

Severity ?

8.3 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://datatracker.ietf.org/doc/html/rfc4343	Third Party Advisory
security-advisories@github.com	https://github.com/istio/istio/security/advisories/GHSA-7774-7vr3-cc8j	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://datatracker.ietf.org/doc/html/rfc4343	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/istio/istio/security/advisories/GHSA-7774-7vr3-cc8j	Third Party Advisory

Impacted products

Vendor	Product	Version
istio	istio	*
istio	istio	*
istio	istio	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2FBF48C6-1E39-4692-A652-27E7DCDC81BC",
              "versionEndExcluding": "1.9.8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "59BD6BCF-15CE-49D9-B487-EEA603D3D5CC",
              "versionEndExcluding": "1.10.4",
              "versionStartIncluding": "1.10.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "886DF572-26C9-4BC9-875F-F043D445C346",
              "versionEndExcluding": "1.11.1",
              "versionStartIncluding": "1.11.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. According to [RFC 4343](https://datatracker.ietf.org/doc/html/rfc4343), Istio authorization policy should compare the hostname in the HTTP Host header in a case insensitive way, but currently the comparison is case sensitive. The proxy will route the request hostname in a case-insensitive way which means the authorization policy could be bypassed. As an example, the user may have an authorization policy that rejects request with hostname \"httpbin.foo\" for some source IPs, but the attacker can bypass this by sending the request with hostname \"Httpbin.Foo\". Patches are available in Istio 1.11.1, Istio 1.10.4 and Istio 1.9.8. As a work around a Lua filter may be written to normalize Host header before the authorization check. This is similar to the Path normalization presented in the [Security Best Practices](https://istio.io/latest/docs/ops/best-practices/security/#case-normalization) guide."
    },
    {
      "lang": "es",
      "value": "Istio es una plataforma de c\u00f3digo abierto que proporciona una forma uniforme de integrar microservicios, administrar el flujo de tr\u00e1fico entre microservicios, aplicar pol\u00edticas y agregar datos de telemetr\u00eda. Seg\u00fan [RFC 4343](https://datatracker.ietf.org/doc/html/rfc4343), la pol\u00edtica de autorizaci\u00f3n de Istio deber\u00eda comparar el nombre de host en el encabezado HTTP Host de forma no sensible a may\u00fasculas y min\u00fasculas, pero actualmente la comparaci\u00f3n es sensible a may\u00fasculas y min\u00fasculas. El proxy enrutar\u00e1 el nombre de host de la petici\u00f3n de forma no sensible a may\u00fasculas y min\u00fasculas, lo que significa que la pol\u00edtica de autorizaci\u00f3n podr\u00eda ser omitida. Por ejemplo, el usuario puede tener una pol\u00edtica de autorizaci\u00f3n que rechace peticiones con el nombre de host \"httpbin.foo\" para algunas IPs de origen, pero el atacante puede omitir esto mediante el env\u00edo de la petici\u00f3n con el nombre de host \"Httpbin.Foo\". Los parches est\u00e1n disponibles en Istio versi\u00f3n 1.11.1, Istio versi\u00f3n 1.10.4 e Istio versi\u00f3n 1.9.8. Como soluci\u00f3n, puede escribirse un filtro Lua para normalizar el encabezado Host antes de la comprobaci\u00f3n de la autorizaci\u00f3n. Esto es similar a la normalizaci\u00f3n de la Ruta presentada en la gu\u00eda [Security Best Practices](https://istio.io/latest/docs/ops/best-practices/security/#case-normalization)."
    }
  ],
  "id": "CVE-2021-39155",
  "lastModified": "2024-11-21T06:18:44.323",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 8.3,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.5,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-08-24T23:15:07.093",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://datatracker.ietf.org/doc/html/rfc4343"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/istio/istio/security/advisories/GHSA-7774-7vr3-cc8j"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://datatracker.ietf.org/doc/html/rfc4343"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/istio/istio/security/advisories/GHSA-7774-7vr3-cc8j"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-178"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-178"
        },
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-39155 (GCVE-0-2021-39155)

GSD-2021-39155

GHSA-7774-7VR3-CC8J

Impact

Patches

Workarounds

References

For more information

FKIE_CVE-2021-39155

Tags

Sightings

Nomenclature