istio.io/archive/v1.16/news/security/index.html

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content="#466BB0"><meta name=title content="Security Bulletins"><meta name=description content="Disclosed security vulnerabilities and their mitigation."><meta name=keywords content="microservices,services,mesh"><meta property="og:title" content="Security Bulletins"><meta property="og:type" content="website"><meta property="og:description" content="Disclosed security vulnerabilities and their mitigation."><meta property="og:url" content="/v1.16/news/security/"><meta property="og:image" content="https://raw.githubusercontent.com/istio/istio.io/master/static/img/istio-social.svg"><meta property="og:image:alt" content="Istio Logo"><meta property="og:image:width" content="1200"><meta property="og:image:height" content="600"><meta property="og:site_name" content="Istio"><meta name=twitter:card content="summary"><meta name=twitter:site content="@IstioMesh"><title>Istioldie 1.16 / Security Bulletins</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script>
<script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments)}gtag("js",new Date),gtag("config","UA-98480406-2")</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.16/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.16/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.16/feed.xml><link rel="shortcut icon" href=/v1.16/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.16/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.16/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.16/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.16/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.16/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.16/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.16/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.16/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.16/favicons/android-192x192.png sizes=192x192><link rel=icon type=image/svg+xml href=/v1.16/favicons/favicon.svg><link rel=icon type=image/png href=/v1.16/favicons/favicon.png><link rel=mask-icon href=/v1.16/favicons/safari-pinned-tab.svg color=#466bb0><link rel=manifest href=/v1.16/manifest.json><meta name=apple-mobile-web-app-title content="Istio"><meta name=application-name content="Istio"><meta name=msapplication-config content="/browserconfig.xml"><meta name=msapplication-TileColor content="#466BB0"><meta name=theme-color content="#466BB0"><link rel=stylesheet href=/v1.16/css/all.css><link rel=preconnect href=https://fonts.googleapis.com><link rel=preconnect href=https://fonts.gstatic.com crossorigin><link rel=stylesheet href="https://fonts.googleapis.com/css2?family=Barlow:ital,wght@0,400;0,500;0,600;0,700;1,400;1,600&display=swap"><script src=/v1.16/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.16",docTitle="Security Bulletins",iconFile="/v1.16/img/icons.svg",buttonCopy="Copy to clipboard",buttonPrint="Print",buttonDownload="Download"</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script>
<script src=/v1.16/js/all.min.js data-manual defer></script><header class=main-navigation><nav class="main-navigation-wrapper container-l"><div class=main-navigation-header><a id=brand href=/v1.16/ aria-label=logotype><span class=logo><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371A7.869 7.869.0 01114 30.56a9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></span></a><button id=hamburger class=main-navigation-toggle aria-label="Open navigation"><svg class="icon menu-hamburger"><use xlink:href="/v1.16/img/icons.svg#menu-hamburger"/></svg></button>
<button id=menu-close class=main-navigation-toggle aria-label="Close navigation"><svg class="icon menu-close"><use xlink:href="/v1.16/img/icons.svg#menu-close"/></svg></button></div><div id=header-links class=main-navigation-links-wrapper><ul class=main-navigation-links><li class=main-navigation-links-item><a class="main-navigation-links-link has-dropdown"><span>About</span><svg class="icon dropdown-arrow"><use xlink:href="/v1.16/img/icons.svg#dropdown-arrow"/></svg></a><ul class=main-navigation-links-dropdown><li class=main-navigation-links-dropdown-item><a href=/v1.16/about/service-mesh class=main-navigation-links-link>Service mesh</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.16/about/solutions class=main-navigation-links-link>Solutions</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.16/about/case-studies class=main-navigation-links-link>Case studies</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.16/about/ecosystem class=main-navigation-links-link>Ecosystem</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.16/about/deployment class=main-navigation-links-link>Deployment</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.16/about/faq class=main-navigation-links-link>FAQ</a></li></ul></li><li class=main-navigation-links-item><a href=/v1.16/blog/ class=main-navigation-links-link><span>Blog</span></a></li><li class=main-navigation-links-item><a href=/v1.16/news/ class=main-navigation-links-link><span>News</span></a></li><li class=main-navigation-links-item><a href=/v1.16/get-involved/ class=main-navigation-links-link><span>Get involved</span></a></li><li class=main-navigation-links-item><a href=/v1.16/docs/ class=main-navigation-links-link><span>Documentation</span></a></li></ul><div class=main-navigation-footer><button id=search-show class=search-show title='Search this site' aria-label=Search><svg class="icon magnifier"><use xlink:href="/v1.16/img/icons.svg#magnifier"/></svg></button>
<a href=/v1.16/docs/setup/getting-started class="btn btn--primary" id=try-istio>Try Istio</a></div></div><form id=search-form class=search name=cse role=search><input type=hidden name=cx value=002184991200833970123:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search-page-url value=/search>
<input id=search-textbox class="search-textbox form-control" name=q type=search aria-label='Search this site' placeholder=Search>
<button id=search-close title='Cancel search' type=reset aria-label='Cancel search'><svg class="icon menu-close"><use xlink:href="/v1.16/img/icons.svg#menu-close"/></svg></button></form></nav></header><div class=banner-container></div><main class="primary blog-content"><div><article><h1>Security Bulletins</h1><p class=blog-description>Disclosed security vulnerabilities and their mitigation.</p><div class=security-grid><table><thead><tr><th>Disclosure</th><th>Date</th><th>Affected Releases</th><th>Impact Score</th><th>Related</th></tr></thead><tbody><tr><td style=white-space:nowrap><a href=/v1.16/news/security/istio-security-2022-008/>ISTIO-SECURITY-2022-008</a></td><td>November 9, 2022</td><td>1.15.2<br></td><td class=score><a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=CVSS%3a3.1%2fAV%3aA%2fAC%3aL%2fPR%3aL%2fUI%3aN%2fS%3aC%2fC%3aH%2fI%3aL%2fA%3aN">7.6</a></td><td>Identity impersonation if user has localhost access</td></tr><tr><td style=white-space:nowrap><a href=/v1.16/news/security/istio-security-2022-007/>ISTIO-SECURITY-2022-007</a></td><td>October 12, 2022</td><td>All releases prior to 1.13<br>1.13.0 to 1.13.8<br>1.14.0 to 1.14.4<br>1.15.0 to 1.15.1<br></td><td class=score><a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=CVSS%3a3.1%2fAV%3aN%2fAC%3aL%2fPR%3aN%2fUI%3aN%2fS%3aU%2fC%3aN%2fI%3aN%2fA%3aH">7.5</a></td><td>Denial of service attack due to Go Regex Library</td></tr><tr><td style=white-space:nowrap><a href=/v1.16/news/security/istio-security-2022-006/>ISTIO-SECURITY-2022-006</a></td><td>July 26, 2022</td><td>1.13.6<br>1.14.2<br></td><td class=score><a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=CVSS%3a3.1%2fAV%3aN%2fAC%3aH%2fPR%3aN%2fUI%3aN%2fS%3aU%2fC%3aN%2fI%3aN%2fA%3aH">5.9</a></td><td>Ill-formed headers sent to Envoy in certain configurations can lead to unexpected memory access resulting in undefined behavior or crashing</td></tr><tr><td style=white-space:nowrap><a href=/v1.16/news/security/istio-security-2022-005/>ISTIO-SECURITY-2022-005</a></td><td>June 9, 2022</td><td>All releases prior to 1.12.0<br>1.12.0 to 1.12.7<br>1.13.0 to 1.13.4<br>1.14.0<br></td><td class=score><a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=CVSS%3a3.1%2fAV%3aN%2fAC%3aL%2fPR%3aN%2fUI%3aN%2fS%3aU%2fC%3aN%2fI%3aN%2fA%3aH">7.5</a></td><td>Ill-formed headers sent to Envoy in certain configurations can lead to unexpected memory access resulting in undefined behavior or crashing</td></tr><tr><td style=white-space:nowrap><a href=/v1.16/news/security/istio-security-2022-004/>ISTIO-SECURITY-2022-004</a></td><td>March 9, 2022</td><td>All releases prior to 1.11.0<br>1.11.0 to 1.11.7<br>1.12.0 to 1.12.4<br>1.13.0 to 1.13.1<br></td><td class=score><a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=CVSS%3a3.1%2fAV%3aN%2fAC%3aL%2fPR%3aN%2fUI%3aN%2fS%3aU%2fC%3aN%2fI%3aN%2fA%3aH">7.5</a></td><td>Unauthenticated control plane denial of service attack due to stack exhaustion</td></tr><tr><td style=white-space:nowrap><a href=/v1.16/news/security/istio-security-2022-003/>ISTIO-SECURITY-2022-003</a></td><td>February 22, 2022</td><td>All releases prior to 1.11.0<br>1.11.0 to 1.11.6<br>1.12.0 to 1.12.3<br>1.13.0<br></td><td class=score><a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=CVSS%3a3.1%2fAV%3aN%2fAC%3aL%2fPR%3aN%2fUI%3aN%2fS%3aU%2fC%3aN%2fI%3aN%2fA%3aH">7.5</a></td><td>Multiple CVEs related to istiod Denial of Service and Envoy</td></tr><tr><td style=white-space:nowrap><a href=/v1.16/news/security/istio-security-2022-001/>ISTIO-SECURITY-2022-001</a></td><td>January 18, 2022</td><td>1.12.0 to 1.12.1<br></td><td class=score><a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV%3aN%2fAC%3aH%2fPR%3aN%2fUI%3aR%2fS%3aU%2fC%3aH%2fI%3aH%2fA%3aN">6.8</a></td><td>Authorization Policy For Host Rules During Upgrades</td></tr><tr><td style=white-space:nowrap><a href=/v1.16/news/security/istio-security-2022-002/>ISTIO-SECURITY-2022-002</a></td><td>January 18, 2022</td><td>1.12.0 to 1.12.1<br></td><td class=score><a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV%3aN%2fAC%3aL%2fPR%3aH%2fUI%3aN%2fS%3aU%2fC%3aL%2fI%3aL%2fA%3aL">4.7</a></td><td>Privileged Escalation in Kubernetes Gateway API</td></tr><tr><td style=white-space:nowrap><a href=/v1.16/news/security/istio-security-2021-008/>ISTIO-SECURITY-2021-008</a></td><td>August 24, 2021</td><td>All releases prior to 1.9.8<br>1.10.0 to 1.10.3<br>1.11.0<br></td><td class=score><a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV%3aL%2fAC%3aL%2fPR%3aN%2fUI%3aR%2fS%3aC%2fC%3aH%2fI%3aH%2fA%3aH">8.6</a></td><td>Multiple CVEs related to AuthorizationPolicy, EnvoyFilter and Envoy</td></tr><tr><td style=white-space:nowrap><a href=/v1.16/news/security/istio-security-2021-007/>ISTIO-SECURITY-2021-007</a></td><td>June 24, 2021</td><td>All 1.8 patch releases<br>1.9.0 to 1.9.5<br>1.10.0 to 1.10.1<br></td><td class=score><a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV%3aN%2fAC%3aL%2fPR%3aL%2fUI%3aN%2fS%3aC%2fC%3aH%2fI%3aL%2fA%3aL">9.1</a></td><td>Istio contains a remotely exploitable vulnerability where credentials specified in the Gateway and DestinationRule credentialName field can be accessed from different namespaces</td></tr><tr><td style=white-space:nowrap><a href=/v1.16/news/security/istio-security-2021-005/>ISTIO-SECURITY-2021-005</a></td><td>May 11, 2021</td><td>All releases prior to 1.8.6<br>1.9.0 to 1.9.4<br></td><td class=score><a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV%3aN%2fAC%3aL%2fPR%3aL%2fUI%3aN%2fS%3aU%2fC%3aH%2fI%3aH%2fA%3aN">8.1</a></td><td>HTTP request paths with multiple slashes or escaped slash characters may bypass path based authorization rules</td></tr><tr><td style=white-space:nowrap><a href=/v1.16/news/security/istio-security-2021-006/>ISTIO-SECURITY-2021-006</a></td><td>May 11, 2021</td><td>All releases prior to 1.8.6<br>1.9.0 to 1.9.4<br></td><td class=score><a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV%3aN%2fAC%3aL%2fPR%3aN%2fUI%3aN%2fS%3aC%2fC%3aH%2fI%3aH%2fA%3aH">10</a></td><td>An external client can access unexpected services in the cluster, bypassing authorization checks, when a gateway is configured with AUTO_PASSTHROUGH routing configuration</td></tr><tr><td style=white-space:nowrap><a href=/v1.16/news/security/istio-security-2021-003/>ISTIO-SECURITY-2021-003</a></td><td>April 15, 2021</td><td>All releases prior to 1.8.5<br>1.9.0 to 1.9.2<br></td><td class=score><a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV%3aN%2fAC%3aL%2fPR%3aN%2fUI%3aN%2fS%3aU%2fC%3aN%2fI%3aN%2fA%3aH">7.5</a></td><td></td></tr><tr><td style=white-space:nowrap><a href=/v1.16/news/security/istio-security-2021-004/>ISTIO-SECURITY-2021-004</a></td><td>April 15, 2021</td><td>All releases 1.5 and later<br></td><td class=score><a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=">N/A</a></td><td>Potential misuse of mTLS-only fields in AuthorizationPolicy with plain text traffic</td></tr><tr><td style=white-space:nowrap><a href=/v1.16/news/security/istio-security-2021-002/>ISTIO-SECURITY-2021-002</a></td><td>April 7, 2021</td><td>All releases 1.6 and later<br></td><td class=score><a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=">N/A</a></td><td>Upgrades from older Istio versions can affect access control to an ingress gateway due to a change of container ports</td></tr><tr><td style=white-space:nowrap><a href=/v1.16/news/security/istio-security-2021-001/>ISTIO-SECURITY-2021-001</a></td><td>March 1, 2021</td><td>1.9.0<br></td><td class=score><a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV%3aN%2fAC%3aL%2fPR%3aN%2fUI%3aN%2fS%3aU%2fC%3aH%2fI%3aL%2fA%3aN">8.2</a></td><td>JWT authentication can be bypassed when AuthorizationPolicy is misused</td></tr><tr><td style=white-space:nowrap><a href=/v1.16/news/security/istio-security-2020-011/>ISTIO-SECURITY-2020-011</a></td><td>November 21, 2020</td><td>1.8.0<br></td><td class=score><a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=">N/A</a></td><td>Envoy incorrectly restores the proxy protocol downstream address for non-HTTP connections</td></tr><tr><td style=white-space:nowrap><a href=/v1.16/news/security/istio-security-2020-010/>ISTIO-SECURITY-2020-010</a></td><td>September 29, 2020</td><td>1.6 to 1.6.10<br>1.7 to 1.7.2<br></td><td class=score><a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV%3aN%2fAC%3aL%2fPR%3aN%2fUI%3aN%2fS%3aC%2fC%3aL%2fI%3aL%2fA%3aL">8.3</a></td><td></td></tr><tr><td style=white-space:nowrap><a href=/v1.16/news/security/istio-security-2020-009/>ISTIO-SECURITY-2020-009</a></td><td>August 11, 2020</td><td>1.5 to 1.5.8<br>1.6 to 1.6.7<br></td><td class=score><a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV%3aN%2fAC%3aH%2fPR%3aL%2fUI%3aN%2fS%3aU%2fC%3aH%2fI%3aH%2fA%3aN">6.8</a></td><td>Incorrect Envoy configuration for wildcard suffixes used for Principals/Namespaces in Authorization Policies for TCP Services</td></tr><tr><td style=white-space:nowrap><a href=/v1.16/news/security/istio-security-2020-008/>ISTIO-SECURITY-2020-008</a></td><td>July 9, 2020</td><td>1.5 to 1.5.7<br>1.6 to 1.6.4<br>All releases prior to 1.5<br></td><td class=score><a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV%3aN%2fAC%3aH%2fPR%3aH%2fUI%3aN%2fS%3aC%2fC%3aH%2fI%3aL%2fA%3aN%2fE%3aF%2fRL%3aO%2fRC%3aC">6.6</a></td><td>Incorrect validation of wildcard DNS Subject Alternative Names</td></tr><tr><td style=white-space:nowrap><a href=/v1.16/news/security/istio-security-2020-007/>ISTIO-SECURITY-2020-007</a></td><td>June 30, 2020</td><td>1.5 to 1.5.6<br>1.6 to 1.6.3<br></td><td class=score><a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV%3aN%2fAC%3aL%2fPR%3aN%2fUI%3aN%2fS%3aU%2fC%3aN%2fI%3aN%2fA%3aH">7.5</a></td><td>Multiple denial of service vulnerabilities in Envoy</td></tr><tr><td style=white-space:nowrap><a href=/v1.16/news/security/istio-security-2020-006/>ISTIO-SECURITY-2020-006</a></td><td>June 11, 2020</td><td>1.4 to 1.4.9<br>1.5 to 1.5.4<br>1.6 to 1.6.1<br></td><td class=score><a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV%3aN%2fAC%3aL%2fPR%3aN%2fUI%3aN%2fS%3aU%2fC%3aN%2fI%3aN%2fA%3aH">7.5</a></td><td>Denial of service in the HTTP2 library used by Envoy</td></tr><tr><td style=white-space:nowrap><a href=/v1.16/news/security/istio-security-2020-005/>ISTIO-SECURITY-2020-005</a></td><td>May 12, 2020</td><td>1.4 to 1.4.8<br>1.5 to 1.5.3<br></td><td class=score><a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV%3aN%2fAC%3aL%2fPR%3aN%2fUI%3aN%2fS%3aU%2fC%3aN%2fI%3aN%2fA%3aH">7.5</a></td><td>Denial of service affecting telemetry v2</td></tr><tr><td style=white-space:nowrap><a href=/v1.16/news/security/istio-security-2020-004/>ISTIO-SECURITY-2020-004</a></td><td>March 25, 2020</td><td>1.4 to 1.4.6<br>1.5<br></td><td class=score><a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV%3aA%2fAC%3aL%2fPR%3aL%2fUI%3aN%2fS%3aC%2fC%3aH%2fI%3aH%2fA%3aN">8.7</a></td><td>Default Kiali security configuration allows full control of mesh</td></tr><tr><td style=white-space:nowrap><a href=/v1.16/news/security/istio-security-2020-003/>ISTIO-SECURITY-2020-003</a></td><td>March 3, 2020</td><td>1.4 to 1.4.5<br></td><td class=score><a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=">7.5</a></td><td>Two uncontrolled resource consumption and two incorrect access control vulnerabilities in Envoy</td></tr><tr><td style=white-space:nowrap><a href=/v1.16/news/security/istio-security-2020-001/>ISTIO-SECURITY-2020-001</a></td><td>February 11, 2020</td><td>1.3 to 1.3.7<br>1.4 to 1.4.3<br></td><td class=score><a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV%3aN%2fAC%3aH%2fPR%3aN%2fUI%3aN%2fS%3aC%2fC%3aH%2fI%3aH%2fA%3aH">9.0</a></td><td>Authentication Policy bypass</td></tr><tr><td style=white-space:nowrap><a href=/v1.16/news/security/istio-security-2020-002/>ISTIO-SECURITY-2020-002</a></td><td>February 11, 2020</td><td>1.3 to 1.3.6<br></td><td class=score><a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV%3aN%2fAC%3aH%2fPR%3aN%2fUI%3aN%2fS%3aU%2fC%3aH%2fI%3aH%2fA%3aN">7.4</a></td><td>Mixer policy check bypass caused by improperly accepting certain request headers</td></tr><tr><td style=white-space:nowrap><a href=/v1.16/news/security/istio-security-2019-007/>ISTIO-SECURITY-2019-007</a></td><td>December 10, 2019</td><td>1.2 to 1.2.9<br>1.3 to 1.3.5<br>1.4 to 1.4.1<br></td><td class=score><a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=CVSS%3a3.0%2fAV%3aN%2fAC%3aH%2fPR%3aN%2fUI%3aN%2fS%3aC%2fC%3aH%2fI%3aH%2fA%3aH">9.0</a></td><td>Heap overflow and improper input validation in Envoy</td></tr><tr><td style=white-space:nowrap><a href=/v1.16/news/security/istio-security-2019-006/>ISTIO-SECURITY-2019-006</a></td><td>November 7, 2019</td><td>1.3 to 1.3.4<br></td><td class=score><a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=CVSS%3a3.1%2fAV%3aN%2fAC%3aL%2fPR%3aN%2fUI%3aN%2fS%3aU%2fC%3aN%2fI%3aN%2fA%3aH%2fE%3aH%2fRL%3aO%2fRC%3aC">7.5</a></td><td>Denial of service</td></tr><tr><td style=white-space:nowrap><a href=/v1.16/news/security/istio-security-2019-005/>ISTIO-SECURITY-2019-005</a></td><td>October 8, 2019</td><td>1.1 to 1.1.15<br>1.2 to 1.2.6<br>1.3 to 1.3.1<br></td><td class=score><a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=CVSS%3a3.0%2fAV%3aN%2fAC%3aL%2fPR%3aN%2fUI%3aN%2fS%3aU%2fC%3aN%2fI%3aN%2fA%3aH">7.5</a></td><td>Denial of service caused by the presence of numerous HTTP headers in client requests</td></tr><tr><td style=white-space:nowrap><a href=/v1.16/news/security/incorrect-sidecar-image-1.2.4/>Istio 1.2.4 sidecar image vulnerability</a></td><td>September 10, 2019</td><td>1.2 to 1.2.4<br></td><td class=score></td><td>An erroneous 1.2.4 sidecar image was available due to a faulty release operation</td></tr><tr><td style=white-space:nowrap><a href=/v1.16/news/security/istio-security-2019-003/>ISTIO-SECURITY-2019-003</a></td><td>August 13, 2019</td><td>1.1 to 1.1.12<br>1.2 to 1.2.3<br></td><td class=score><a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=CVSS%3a3.0%2fAV%3aN%2fAC%3aL%2fPR%3aN%2fUI%3aN%2fS%3aU%2fC%3aN%2fI%3aN%2fA%3aH">7.5</a></td><td>Denial of service in regular expression parsing</td></tr><tr><td style=white-space:nowrap><a href=/v1.16/news/security/istio-security-2019-004/>ISTIO-SECURITY-2019-004</a></td><td>August 13, 2019</td><td>1.1 to 1.1.12<br>1.2 to 1.2.3<br></td><td class=score><a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=CVSS%3a3.0%2fAV%3aN%2fAC%3aL%2fPR%3aN%2fUI%3aN%2fS%3aU%2fC%3aN%2fI%3aN%2fA%3aH">7.5</a></td><td>Multiple denial of service vulnerabilities related to HTTP2 support in Envoy</td></tr><tr><td style=white-space:nowrap><a href=/v1.16/news/security/istio-security-2019-002/>ISTIO-SECURITY-2019-002</a></td><td>June 28, 2019</td><td>1.0 to 1.0.8<br>1.1 to 1.1.9<br>1.2 to 1.2.1<br></td><td class=score><a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=CVSS%3a3.0%2fAV%3aN%2fAC%3aL%2fPR%3aN%2fUI%3aN%2fS%3aU%2fC%3aN%2fI%3aN%2fA%3aH%2fE%3aF%2fRL%3aO%2fRC%3aC">7.5</a></td><td>Denial of service affecting JWT access token parsing</td></tr><tr><td style=white-space:nowrap><a href=/v1.16/news/security/istio-security-2019-001/>ISTIO-SECURITY-2019-001</a></td><td>May 28, 2019</td><td>1.1 to 1.1.6<br></td><td class=score><a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=CVSS%3a3.0%2fAV%3aA%2fAC%3aL%2fPR%3aN%2fUI%3aN%2fS%3aC%2fC%3aH%2fI%3aH%2fA%3aN%2fE%3aH%2fRL%3aO%2fRC%3aC">8.9</a></td><td>Incorrect access control</td></tr></tbody></table></div></article></div></main><footer class=footer><div class="footer-wrapper container-l"><div class="user-links footer-links"><a class=channel title='GitHub is where development takes place on Istio code' href=https://github.com/istio/community aria-label=GitHub><svg class="icon github"><use xlink:href="/v1.16/img/icons.svg#github"/></svg></a><a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><svg class="icon drive"><use xlink:href="/v1.16/img/icons.svg#drive"/></svg></a><a class=channel title='Interactively discuss issues with the Istio community on Slack' href=https://slack.istio.io aria-label=slack><svg class="icon slack"><use xlink:href="/v1.16/img/icons.svg#slack"/></svg></a><a class=channel title='Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio' href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><svg class="icon stackoverflow"><use xlink:href="/v1.16/img/icons.svg#stackoverflow"/></svg></a><a class=channel title='Follow us on Twitter to get the latest news' href=https://twitter.com/IstioMesh aria-label=Twitter><svg class="icon twitter"><use xlink:href="/v1.16/img/icons.svg#twitter"/></svg></a></div><hr class=footer-separator role=separator><div class="info footer-info"><a class=logo href=/v1.16/ aria-label=logotype><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371A7.869 7.869.0 01114 30.56a9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></a><div class=footer-languages><a tabindex=-1 lang=en id=switch-lang-en class="footer-languages-item active"><svg class="icon tick"><use xlink:href="/v1.16/img/icons.svg#tick"/></svg>English</a>
<a tabindex=-1 lang=zh id=switch-lang-zh class=footer-languages-item>中文</a></div></div><ul class=footer-policies><li class=footer-policies-item><a class=footer-policies-link href=https://www.linuxfoundation.org/legal/terms>Terms and Conditions</a> |
<a class=footer-policies-link href=https://www.linuxfoundation.org/legal/privacy-policy>Privacy policy</a> |
<a class=footer-policies-link href=https://github.com/istio/istio.io/edit/release-1.16/content/en/news/security/_index.md>Edit this Page on GitHub</a></li></ul><div class=footer-base><span class=footer-base-copyright>&copy; 2023 the Istio Authors.</span>
<span class=footer-base-version>Version
Archive
1.16.2</span><ul class=footer-base-releases><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link onclick='return navigateToUrlOrRoot("https://istio.io/news/security/"),!1'>current release</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link onclick='return navigateToUrlOrRoot("https://preliminary.istio.io/news/security/"),!1'>next release</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link href=https://istio.io/archive>older releases</a></li></ul></div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title='Back to top' tabindex=-1><svg class="icon top"><use xlink:href="/v1.16/img/icons.svg#top"/></svg></button></div></body></html>