Описание
Istio is an open platform to connect, manage, and secure microservices. Prior to 1.29.1, 1.28.5, and 1.27.8, a user of Istio is impacted if the JWKS resolver becomes unavailable or the fetch fails, exposing hardcoded defaults regardless of use of the RequestAuthentication resource. This vulnerability is fixed in 1.29.1, 1.28.5, and 1.27.8.
Ссылки
- Vendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 1.27.8 (исключая)Версия от 1.28.0 (включая) до 1.28.5 (исключая)Версия от 1.29.0 (включая) до 1.29.1 (исключая)
Одно из
cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*
cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*
cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*
EPSS
Процентиль: 15%
0.00048
Низкий
7.5 High
CVSS3
Дефекты
CWE-200
Связанные уязвимости
CVSS3: 7.5
redhat
17 дней назад
A flaw was found in Istio. A user of Istio could be impacted if the JSON Web Key Set (JWKS) resolver becomes unavailable or fails to fetch keys. This vulnerability can lead to the exposure of hardcoded default settings, potentially bypassing authentication mechanisms and allowing unauthorized access.
EPSS
Процентиль: 15%
0.00048
Низкий
7.5 High
CVSS3
Дефекты
CWE-200