Go modules package
istio.io/istio
pkg:golang/istio.io/istio
Vulnerabilities (11)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-41413 | Med | 5.0 | < 0.0.0-20260410004459-189832a289c1 | 0.0.0-20260410004459-189832a289c1 | May 7, 2026 | Istio is an open platform to connect, manage, and secure microservices. Prior to versions 1.28.6 and 1.29.2, when a RequestAuthentication resource is created with a jwksUri pointing to an internal service, istiod makes an unauthenticated HTTP GET request to that URL without filte | |
| CVE-2026-39350 | Med | 5.4 | >= 0.0.0-20241024090207-0bf27d49ba4b, < 0.0.0-20260403004500-692e460c342d | 0.0.0-20260403004500-692e460c342d | Apr 15, 2026 | Istio is an open platform to connect, manage, and secure microservices. In versions 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1, the serviceAccounts and notServiceAccounts fields in AuthorizationPolicy incorrectly interpret dots (.) as a regular expression ma | |
| CVE-2022-31045 | — | < 1.12.18 | 1.12.18 | Jun 9, 2022 | Istio is an open platform to connect, manage, and secure microservices. In affected versions ill-formed headers sent to Envoy in certain configurations can lead to unexpected memory access resulting in undefined behavior or crashing. Users are most likely at risk if they have an | ||
| CVE-2022-23635 | — | >= 1.13.0, < 1.13.1 | 1.13.1 | Feb 22, 2022 | Istio is an open platform to connect, manage, and secure microservices. In affected versions the Istio control plane, `istiod`, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted message which results in the control plane cra | ||
| CVE-2021-39156 | — | < 1.9.8 | 1.9.8 | Aug 24, 2021 | Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. Istio 1.11.0, 1.10.3 and below, and 1.9.7 and below contain a remotely exploitable vulnerability where | ||
| CVE-2021-39155 | — | < 1.9.8 | 1.9.8 | Aug 24, 2021 | Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. According to [RFC 4343](https://datatracker.ietf.org/doc/html/rfc4343), Istio authorization policy sho | ||
| CVE-2021-31920 | — | < 1.8.6 | 1.8.6 | May 27, 2021 | Istio before 1.8.6 and 1.9.x before 1.9.5 has a remotely exploitable vulnerability where an HTTP request path with multiple slashes or escaped slash characters (%2F or %5C) could potentially bypass an Istio authorization policy when path based authorization rules are used. | ||
| CVE-2020-16844 | — | >= 1.5.0, < 1.5.9 | 1.5.9 | Oct 1, 2020 | In Istio 1.5.0 though 1.5.8 and Istio 1.6.0 through 1.6.7, when users specify an AuthorizationPolicy resource with DENY actions using wildcard suffixes (e.g. *-some-suffix) for source principals or namespace fields, callers will never be denied access, bypassing the intended poli | ||
| CVE-2019-18817 | — | >= 1.3.0, < 1.3.5 | 1.3.5 | Nov 12, 2019 | Istio 1.3.x before 1.3.5 allows Denial of Service because continue_on_listener_filters_timeout is set to True, a related issue to CVE-2019-18836. | ||
| CVE-2019-14993 | — | < 1.1.13 | 1.1.13 | Aug 13, 2019 | Istio before 1.1.13 and 1.2.x before 1.2.4 mishandles regular expressions for long URIs, leading to a denial of service during use of the JWT, VirtualService, HTTPAPISpecBinding, or QuotaSpecBinding API. | ||
| CVE-2019-12243 | — | >= 1.1.0, < 1.1.7 | 1.1.7 | Jun 5, 2019 | Istio 1.1.x through 1.1.6 has Incorrect Access Control. |
- affected < 0.0.0-20260410004459-189832a289c1fixed 0.0.0-20260410004459-189832a289c1
Istio is an open platform to connect, manage, and secure microservices. Prior to versions 1.28.6 and 1.29.2, when a RequestAuthentication resource is created with a jwksUri pointing to an internal service, istiod makes an unauthenticated HTTP GET request to that URL without filte
- affected >= 0.0.0-20241024090207-0bf27d49ba4b, < 0.0.0-20260403004500-692e460c342dfixed 0.0.0-20260403004500-692e460c342d
Istio is an open platform to connect, manage, and secure microservices. In versions 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1, the serviceAccounts and notServiceAccounts fields in AuthorizationPolicy incorrectly interpret dots (.) as a regular expression ma
- CVE-2022-31045Jun 9, 2022affected < 1.12.18fixed 1.12.18
Istio is an open platform to connect, manage, and secure microservices. In affected versions ill-formed headers sent to Envoy in certain configurations can lead to unexpected memory access resulting in undefined behavior or crashing. Users are most likely at risk if they have an
- CVE-2022-23635Feb 22, 2022affected >= 1.13.0, < 1.13.1fixed 1.13.1
Istio is an open platform to connect, manage, and secure microservices. In affected versions the Istio control plane, `istiod`, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted message which results in the control plane cra
- CVE-2021-39156Aug 24, 2021affected < 1.9.8fixed 1.9.8
Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. Istio 1.11.0, 1.10.3 and below, and 1.9.7 and below contain a remotely exploitable vulnerability where
- CVE-2021-39155Aug 24, 2021affected < 1.9.8fixed 1.9.8
Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. According to [RFC 4343](https://datatracker.ietf.org/doc/html/rfc4343), Istio authorization policy sho
- CVE-2021-31920May 27, 2021affected < 1.8.6fixed 1.8.6
Istio before 1.8.6 and 1.9.x before 1.9.5 has a remotely exploitable vulnerability where an HTTP request path with multiple slashes or escaped slash characters (%2F or %5C) could potentially bypass an Istio authorization policy when path based authorization rules are used.
- CVE-2020-16844Oct 1, 2020affected >= 1.5.0, < 1.5.9fixed 1.5.9
In Istio 1.5.0 though 1.5.8 and Istio 1.6.0 through 1.6.7, when users specify an AuthorizationPolicy resource with DENY actions using wildcard suffixes (e.g. *-some-suffix) for source principals or namespace fields, callers will never be denied access, bypassing the intended poli
- CVE-2019-18817Nov 12, 2019affected >= 1.3.0, < 1.3.5fixed 1.3.5
Istio 1.3.x before 1.3.5 allows Denial of Service because continue_on_listener_filters_timeout is set to True, a related issue to CVE-2019-18836.
- CVE-2019-14993Aug 13, 2019affected < 1.1.13fixed 1.1.13
Istio before 1.1.13 and 1.2.x before 1.2.4 mishandles regular expressions for long URIs, leading to a denial of service during use of the JWT, VirtualService, HTTPAPISpecBinding, or QuotaSpecBinding API.
- CVE-2019-12243Jun 5, 2019affected >= 1.1.0, < 1.1.7fixed 1.1.7
Istio 1.1.x through 1.1.6 has Incorrect Access Control.