First published: Thu Nov 10 2022(Updated: )
Istio is an open platform to connect, manage, and secure microservices. In versions on the 1.15.x branch prior to 1.15.3, a user can impersonate any workload identity within the service mesh if they have localhost access to the Istiod control plane. Version 1.15.3 contains a patch for this issue. There are no known workarounds.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Istio Istio | >=1.15.0<=1.15.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-39388 is a vulnerability in Istio, where a user can impersonate any workload identity within the service mesh if they have localhost access to the Istiod control plane.
The severity of CVE-2022-39388 is high, with a severity value of 3.5.
CVE-2022-39388 can be exploited by an attacker with localhost access to the Istiod control plane, allowing them to impersonate any workload identity within the service mesh.
To fix CVE-2022-39388, update Istio to version 1.15.3 or later, which contains a patch for this vulnerability.
You can find more information about CVE-2022-39388 on the Istio GitHub repository and the Istio security advisories page.