From 859ad19fede37082968ce348dbdb7743f4c91760 Mon Sep 17 00:00:00 2001
From: Istio Automation <istio-testing-bot@google.com>
Date: Wed, 9 Nov 2022 14:46:28 -0800
Subject: [PATCH] [master] CVE 1.15.3 (#12209)

* Add information about CVE affecting 1.15.2

* Fix linting issues

* sort

Co-authored-by: Jacob Delgado <jacob.delgado@volunteers.acasi.info>
---
 .spelling                                     |  1 +
 .../docs/releases/supported-releases/index.md |  2 +-
 .../security/istio-security-2022-008/index.md | 27 +++++++++++++++++++
 3 files changed, 29 insertions(+), 1 deletion(-)
 create mode 100644 content/en/news/security/istio-security-2022-008/index.md

diff --git a/.spelling b/.spelling
index 3c5bdc7471..60af1126d2 100644
--- a/.spelling
+++ b/.spelling
@@ -305,6 +305,7 @@ CVE-2022-29227
 CVE-2022-29228
 CVE-2022-31045
 CVE-2022-39278
+CVE-2022-39388
 CVE-2022-41715
 cves
 CVEs
diff --git a/content/en/docs/releases/supported-releases/index.md b/content/en/docs/releases/supported-releases/index.md
index 4e6ee0b9da..015c6bb9e9 100644
--- a/content/en/docs/releases/supported-releases/index.md
+++ b/content/en/docs/releases/supported-releases/index.md
@@ -78,7 +78,7 @@ Please keep up-to-date and use a supported version.
 
 | Minor Releases   | Patched versions with no known CVEs           |
 |------------------|-----------------------------------------------|
-| 1.15.x           | 1.15.2+                                       |
+| 1.15.x           | 1.15.3+                                       |
 | 1.14.x           | 1.14.5+                                       |
 | 1.13.x           | 1.13.9+                                       |
 | 1.12 and earlier | None, all versions have known vulnerabilities |
diff --git a/content/en/news/security/istio-security-2022-008/index.md b/content/en/news/security/istio-security-2022-008/index.md
new file mode 100644
index 0000000000..5ea0bc869d
--- /dev/null
+++ b/content/en/news/security/istio-security-2022-008/index.md
@@ -0,0 +1,27 @@
+---
+title: ISTIO-SECURITY-2022-008
+subtitle: Security Bulletin
+description: Identity impersonation if user has localhost access.
+cves: [CVE-2022-39388]
+cvss: "7.6"
+vector: "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N"
+releases: ["1.15.2"]
+publishdate: 2022-11-09
+keywords: [CVE]
+skip_seealso: true
+---
+
+{{< security_bulletin >}}
+
+## CVE
+
+### CVE-2022-39388
+
+- __[CVE-2022-39388](https://github.com/istio/istio/security/advisories/GHSA-6c6p-h79f-g6p4)__:
+  (CVSS Score 7.6, High): Identity impersonation if user has localhost access.
+
+User can impersonate any workload identity within the service mesh if they have localhost access to the Istiod control plane.
+
+## Am I Impacted?
+
+You are at most risk if you are running Istio 1.15.2 and users have access to the machine where Istiod is running.
\ No newline at end of file