CVE-2021-31920

MEDIUM

Istio <1.8.6, 1.9.x <1.9.5 - SSRF

Title source: llm

Description

Istio before 1.8.6 and 1.9.x before 1.9.5 has a remotely exploitable vulnerability where an HTTP request path with multiple slashes or escaped slash characters (%2F or %5C) could potentially bypass an Istio authorization policy when path based authorization rules are used.

References (1)

[Exploit, Vendor Advisory] https://istio.io/latest/news/security/istio-security-2021-005/

Scores

CVSS v3 6.5

EPSS 0.0019

EPSS Percentile 40.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-706

Status published

Affected Products (2)

istio/istio < 1.8.6

istio.io/istio < 1.8.6Go

Timeline

Published May 27, 2021

Tracked Since Feb 18, 2026