Описание
A flaw was found in Istio. A user of Istio could be impacted if the JSON Web Key Set (JWKS) resolver becomes unavailable or fails to fetch keys. This vulnerability can lead to the exposure of hardcoded default settings, potentially bypassing authentication mechanisms and allowing unauthorized access.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| cert-manager Operator for Red Hat OpenShift | cert-manager/cert-manager-istio-csr-rhel9 | Affected | ||
| cert-manager Operator for Red Hat OpenShift | cert-manager/cert-manager-operator-bundle | Affected | ||
| cert-manager Operator for Red Hat OpenShift | cert-manager/cert-manager-operator-rhel9 | Affected | ||
| cert-manager Operator for Red Hat OpenShift | cert-manager/jetstack-cert-manager-acmesolver-rhel9 | Affected | ||
| cert-manager Operator for Red Hat OpenShift | cert-manager/jetstack-cert-manager-rhel9 | Affected | ||
| ExternalDNS Operator | edo/external-dns-rhel8 | Not affected | ||
| ExternalDNS Operator | edo/external-dns-rhel9 | Not affected | ||
| OpenShift Serverless | openshift-serverless-1/kn-eventing-istio-controller-rhel9 | Affected | ||
| OpenShift Serverless | openshift-serverless-1/net-istio-controller-rhel9 | Affected | ||
| OpenShift Serverless | openshift-serverless-1/net-istio-webhook-rhel9 | Affected |
Показывать по
10
Дополнительная информация
Статус:
Important
Дефект:
CWE-1392
https://bugzilla.redhat.com/show_bug.cgi?id=2446344istio: Istio: Information disclosure and authentication bypass via JWKS resolver unavailability
7.5 High
CVSS3
Связанные уязвимости
CVSS3: 7.5
nvd
17 дней назад
Istio is an open platform to connect, manage, and secure microservices. Prior to 1.29.1, 1.28.5, and 1.27.8, a user of Istio is impacted if the JWKS resolver becomes unavailable or the fetch fails, exposing hardcoded defaults regardless of use of the RequestAuthentication resource. This vulnerability is fixed in 1.29.1, 1.28.5, and 1.27.8.
7.5 High
CVSS3