CVE-2022-39388 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2022-39388

CVE-2022-39388

November 10, 2022

Istio is an open platform to connect, manage, and secure microservices. In versions on the 1.15.x branch prior to 1.15.3, a user can impersonate any workload identity within the service mesh if they have localhost access to the Istiod control plane. Version 1.15.3 contains a patch for this issue. There are no known workarounds.

Related Resources (8)

https://istio.io/latest/news/releases/1.15.x/announcing-1.15.3/

https://github.com/istio/istio/security/advisories/GHSA-6c6p-h79f-g6p4

https://github.com/istio/istio/commit/346260e5115e9fbc65ba8a559bc686e6ca046a32

https://istio.io/latest/news/releases/1.15.x/announcing-1.15.3

https://github.com/istio/istio/commit/9a643e270421560afb2630e00f76d46a55499df9

https://nvd.nist.gov/vuln/detail/CVE-2022-39388

https://github.com/istio/istio

https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/39xxx/CVE-2022-39388.json

Do you need more information?

CVSS v4

Base Score:

8.3

Attack Vector

ADJACENT

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

LOW

User Interaction

NONE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

LOW

Vulnerable System Availability

NONE

Subsequent System Confidentiality

HIGH

Subsequent System Integrity

LOW

Subsequent System Availability

NONE

CVSS v3

Base Score:

7.6

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

LOW

Availability

NONE

Weakness Type (CWE)

Incorrect Authorization

CWE-863

EPSS

Base Score:

0.06

Products

Solutions

Resources

Company

Compare

Developer Tools