Istio may allow identity impersonation if user has localhost access
Package
Affected versions
>= 1.15.0-beta.0, < 1.15.3
Patched versions
1.15.3
Description
Published to the GitHub Advisory Database
Nov 9, 2022
Reviewed
Nov 9, 2022
Published by the National Vulnerability Database
Nov 10, 2022
Last updated
Jan 28, 2023
Impact
User can impersonate any workload identity within the service mesh if they have localhost access to the Istiod control plane.
Patches
1.15.3
Workarounds
No. If using 1.15.2 please upgrade to 1.15.3 or later.
References
None at this time.
For more information
If you have any questions or comments about this advisory, please email us at istio-security-vulnerability-reports@googlegroups.com
References