ISTIO-SECURITY-2020-010
Security Bulletin
| Disclosure Details | |
|---|---|
| CVE(s) | CVE-2020-25017 |
| CVSS Impact Score | 8.3 AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L |
| Affected Releases | 1.6 to 1.6.10 1.7 to 1.7.2 |
Envoy, and subsequently Istio, is vulnerable to a newly discovered vulnerability:
- CVE-2020-25017:
In some cases, Envoy only considers the first value when multiple headers are present. Also, Envoy does not replace all existing occurrences of a non-inline header.
- CVSS Score: 8.3 AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Mitigation
- For Istio 1.6.x deployments: update to Istio 1.6.11 or later.
- For Istio 1.7.x deployments: update to Istio 1.7.3 or later.
Reporting vulnerabilities
We’d like to remind our community to follow the vulnerability reporting process to report any bug that can result in a security vulnerability.