CVE-2021-31920

Vulnerability

Istio prior to versions 1.8.6 and 1.9.5 contains a vulnerability where HTTP request paths with multiple slashes or escaped slash characters (%2F or %5C) can bypass authorization policies that use path-based rules [1][2]. This occurs because the authorization engine does not normalize paths before matching, while some backend services normalize them, leading to policy mismatches [2]. Affected releases include all versions before 1.8.6 and 1.9.0 through 1.9.4 [1][2].

Exploitation

An attacker with network access to an Istio proxy (e.g., ingress gateway or sidecar) can exploit this by sending an HTTP request with a manipulated path [2]. For example, if a DENY policy rejects /admin, sending a request to //admin or using %2F or %5C characters will bypass the policy because the request path does not match the string /admin [2]. No authentication or user interaction is required beyond standard request capabilities [2]. The attacker only needs to know which paths are protected by policy.

Impact

Successful exploitation allows an attacker to access resources protected by path-based authorization rules, potentially gaining access to sensitive endpoints or administrative interfaces [2]. This can lead to unauthorized information disclosure or privilege escalation, depending on the protected resource [1][2]. The CVSS score is 8.1 (High) with confidentiality and integrity impacts high [1][2].

Mitigation

The vulnerability is fixed in Istio 1.8.6 and 1.9.5 [1][2]. Users should upgrade to these versions or later. No official workaround is provided; however, administrators can review their authorization policies to ensure they are not relying solely on path matching as a security control. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.