Miggo Logo
Miggo Vulnerability Database
CVE-2021-31920

CVE-2021-31920: Istio Authorization Bypass Vulnerability

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-31920
GHSA ID
GHSA-6q5m-22mq-q2xv
EPSS Score
0.47563%
CWE
CWE-863
Published
5/24/2022
Updated
8/7/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
istio.io/istiogo< 1.8.61.8.6
istio.io/istiogo>= 1.9.0, <= 1.9.41.9.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper path normalization in Envoy proxies configured by Istio. While the actual path processing occurs in Envoy (C++), the root cause in Istio's Go code is the failure to configure Envoy with required normalization settings. The buildHTTPConnectionManager function in Istio's control plane (responsible for Envoy configuration generation) is the logical point where this misconfiguration would occur. The advisory explicitly mentions updated normalization options in patched versions, implicating this configuration pathway.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Istio ***or* *.*.* *n* *.*.x ***or* *.*.* **s * r*mot*ly *xploit**l* vuln*r**ility w**r* *n *TTP r*qu*st p*t* wit* multipl* sl*s**s or *s**p** sl*s* ***r**t*rs (%** or %**) *oul* pot*nti*lly *yp*ss *n Istio *ut*oriz*tion poli*y w**n p*t* **s** *ut*or

Reasoning

T** vuln*r**ility st*ms *rom improp*r p*t* norm*liz*tion in *nvoy proxi*s *on*i*ur** *y Istio. W*il* t** **tu*l p*t* pro**ssin* o**urs in *nvoy (*++), t** root **us* in Istio's *o *o** is t** **ilur* to *on*i*ur* *nvoy wit* r*quir** norm*liz*tion s*t