{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-39388", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "dateUpdated": "2025-04-23T16:39:23.029Z", "dateReserved": "2022-09-02T00:00:00.000Z", "datePublished": "2022-11-10T00:00:00.000Z"}, "containers": {"cna": {"title": "Istio may allow identity impersonation if user has localhost access", "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-11-10T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "Istio is an open platform to connect, manage, and secure microservices. In versions on the 1.15.x branch prior to 1.15.3, a user can impersonate any workload identity within the service mesh if they have localhost access to the Istiod control plane. Version 1.15.3 contains a patch for this issue. There are no known workarounds."}], "affected": [{"vendor": "istio", "product": "istio", "versions": [{"version": ">= 1.15.0-beta.0, < 1.15.3", "status": "affected"}]}], "references": [{"url": "https://github.com/istio/istio/security/advisories/GHSA-6c6p-h79f-g6p4"}, {"url": "https://github.com/istio/istio/commit/346260e5115e9fbc65ba8a559bc686e6ca046a32"}, {"url": "https://github.com/istio/istio/commit/9a643e270421560afb2630e00f76d46a55499df9"}, {"url": "https://istio.io/latest/news/releases/1.15.x/announcing-1.15.3/"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 7.6, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-863: Incorrect Authorization", "cweId": "CWE-863"}]}], "source": {"advisory": "GHSA-6c6p-h79f-g6p4", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:07:41.233Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/istio/istio/security/advisories/GHSA-6c6p-h79f-g6p4", "tags": ["x_transferred"]}, {"url": "https://github.com/istio/istio/commit/346260e5115e9fbc65ba8a559bc686e6ca046a32", "tags": ["x_transferred"]}, {"url": "https://github.com/istio/istio/commit/9a643e270421560afb2630e00f76d46a55499df9", "tags": ["x_transferred"]}, {"url": "https://istio.io/latest/news/releases/1.15.x/announcing-1.15.3/", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-23T13:55:00.507730Z", "id": "CVE-2022-39388", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T16:39:23.029Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/istio/istio/security/advisories/GHSA-6c6p-h79f-g6p4", "tags": ["x_transferred"]}, {"url": "https://github.com/istio/istio/commit/346260e5115e9fbc65ba8a559bc686e6ca046a32", "tags": ["x_transferred"]}, {"url": "https://github.com/istio/istio/commit/9a643e270421560afb2630e00f76d46a55499df9", "tags": ["x_transferred"]}, {"url": "https://istio.io/latest/news/releases/1.15.x/announcing-1.15.3/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:07:41.233Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-39388", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-23T13:55:00.507730Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T13:55:01.964Z"}}], "cna": {"title": "Istio may allow identity impersonation if user has localhost access", "source": {"advisory": "GHSA-6c6p-h79f-g6p4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "istio", "product": "istio", "versions": [{"status": "affected", "version": ">= 1.15.0-beta.0, < 1.15.3"}]}], "references": [{"url": "https://github.com/istio/istio/security/advisories/GHSA-6c6p-h79f-g6p4"}, {"url": "https://github.com/istio/istio/commit/346260e5115e9fbc65ba8a559bc686e6ca046a32"}, {"url": "https://github.com/istio/istio/commit/9a643e270421560afb2630e00f76d46a55499df9"}, {"url": "https://istio.io/latest/news/releases/1.15.x/announcing-1.15.3/"}], "descriptions": [{"lang": "en", "value": "Istio is an open platform to connect, manage, and secure microservices. In versions on the 1.15.x branch prior to 1.15.3, a user can impersonate any workload identity within the service mesh if they have localhost access to the Istiod control plane. Version 1.15.3 contains a patch for this issue. There are no known workarounds."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-11-10T00:00:00.000Z"}}}, "cveMetadata": {"cveId": "CVE-2022-39388", "state": "PUBLISHED", "dateUpdated": "2025-04-23T16:39:23.029Z", "dateReserved": "2022-09-02T00:00:00.000Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2022-11-10T00:00:00.000Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*", "matchCriteriaId": "A5DFF901-FC34-460A-B7F6-03F4F0DADA25", "versionEndIncluding": "1.15.2", "versionStartIncluding": "1.15.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Istio is an open platform to connect, manage, and secure microservices. In versions on the 1.15.x branch prior to 1.15.3, a user can impersonate any workload identity within the service mesh if they have localhost access to the Istiod control plane. Version 1.15.3 contains a patch for this issue. There are no known workarounds."}, {"lang": "es", "value": "Istio es una plataforma abierta para conectar, administrar y proteger microservicios. En las versiones de la rama 1.15.x anteriores a la 1.15.3, un usuario puede suplantar cualquier identidad de carga de trabajo dentro de la malla de servicios si tiene acceso de host local al plano de control de Istiod. La versi\u00f3n 1.15.3 contiene un parche para este problema. No se conocen workarounds."}], "id": "CVE-2022-39388", "lastModified": "2024-11-21T07:18:11.550", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-11-10T20:15:10.587", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/istio/istio/commit/346260e5115e9fbc65ba8a559bc686e6ca046a32"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/istio/istio/commit/9a643e270421560afb2630e00f76d46a55499df9"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/istio/istio/security/advisories/GHSA-6c6p-h79f-g6p4"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://istio.io/latest/news/releases/1.15.x/announcing-1.15.3/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/istio/istio/commit/346260e5115e9fbc65ba8a559bc686e6ca046a32"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/istio/istio/commit/9a643e270421560afb2630e00f76d46a55499df9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/istio/istio/security/advisories/GHSA-6c6p-h79f-g6p4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://istio.io/latest/news/releases/1.15.x/announcing-1.15.3/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}