CVE-2022-39388

{"id": "CVE-2022-39388", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.1}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.7, "exploitabilityScore": 2.3}]}, "published": "2022-11-10T20:15:10.587", "references": [{"url": "https://github.com/istio/istio/commit/346260e5115e9fbc65ba8a559bc686e6ca046a32", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/istio/istio/commit/9a643e270421560afb2630e00f76d46a55499df9", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/istio/istio/security/advisories/GHSA-6c6p-h79f-g6p4", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://istio.io/latest/news/releases/1.15.x/announcing-1.15.3/", "tags": ["Release Notes", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-863"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Istio is an open platform to connect, manage, and secure microservices. In versions on the 1.15.x branch prior to 1.15.3, a user can impersonate any workload identity within the service mesh if they have localhost access to the Istiod control plane. Version 1.15.3 contains a patch for this issue. There are no known workarounds."}, {"lang": "es", "value": "Istio es una plataforma abierta para conectar, administrar y proteger microservicios. En las versiones de la rama 1.15.x anteriores a la 1.15.3, un usuario puede suplantar cualquier identidad de carga de trabajo dentro de la malla de servicios si tiene acceso de host local al plano de control de Istiod. La versi\u00f3n 1.15.3 contiene un parche para este problema. No se conocen workarounds."}], "lastModified": "2022-11-15T20:21:21.517", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A5DFF901-FC34-460A-B7F6-03F4F0DADA25", "versionEndIncluding": "1.15.2", "versionStartIncluding": "1.15.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}