Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-31045

Istio is an open platform to connect, manage, and secure microservices. In affected versions ill-formed headers sent to Envoy in certain configurations can lead to unexpected memory access resulting in undefined behavior or crashing. Users are most likely at risk if they have an Istio ingress Gateway exposed to external traffic. This vulnerability has been resolved in versions 1.12.8, 1.13.5, and 1.14.1. Users are advised to upgrade. There are no known workarounds for this issue.

Published

2022-06-09T21:15:07.847

Last Modified

2024-11-21T07:03:46.690

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.0 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

10.0

Impact Score

6.4

Weaknesses

Type: Primary
CWE-125

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	istio	istio	< 1.12.8	Yes
Application	istio	istio	< 1.13.5	Yes
Application	istio	istio	1.14.0	Yes

References

https://github.com/istio/istio/security/advisories/GHSA-xwx5-5c9g-x68x Third Party Advisory ([email protected])
https://istio.io/latest/news/security/istio-security-2022-05 Broken Link ([email protected])
https://github.com/istio/istio/security/advisories/GHSA-xwx5-5c9g-x68x Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://istio.io/latest/news/security/istio-security-2022-05 Broken Link (af854a3a-2127-422b-91ae-364da2661108)