Login Sign Up

CVE-2021-39156

8.1 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability allows attackers to bypass Istio's URI path-based authorization policies by sending HTTP requests with URL fragments (#fragment) in the path. This affects all Istio deployments using authorization policies to restrict access based on URI paths. The vulnerability is remotely exploitable without authentication.

💻 Affected Systems

Products:
  • Istio
Versions: Istio 1.11.0 and below, 1.10.3 and below, 1.9.7 and below
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects deployments using Istio AuthorizationPolicy with URI path matching. All platforms running affected Istio versions are vulnerable.

📦 What is this software?

Istio by Istio

View all CVEs affecting Istio →

Istio by Istio

View all CVEs affecting Istio →

Istio by Istio

View all CVEs affecting Istio →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete bypass of all URI-based authorization controls, allowing unauthorized access to protected microservices and sensitive data.

🟠

Likely Case

Partial authorization bypass enabling access to some protected endpoints that should be restricted.

🟢

If Mitigated

Limited impact if additional security layers (network segmentation, application-level auth) are in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending HTTP requests with URL fragments. Public proof-of-concept exists in advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Istio 1.11.1, 1.10.4, 1.9.8

Vendor Advisory: https://istio.io/latest/news/security/istio-security-2021-008

Restart Required: Yes

Instructions:

1. Upgrade Istio control plane to patched version. 2. Restart Istio control plane components. 3. Upgrade data plane (sidecars) to patched version. 4. Restart workloads to apply new sidecars.

🔧 Temporary Workarounds

Lua Filter Workaround

all

Implement a Lua filter to normalize URL paths by removing fragments before authorization checks

Refer to Istio advisory for Lua filter implementation details

🧯 If You Can't Patch

  • Implement network segmentation to limit access to vulnerable services
  • Add application-level authentication/authorization as additional security layer

🔍 How to Verify

Check if Vulnerable:

Check Istio version: kubectl get pods -n istio-system -l app=istiod -o jsonpath='{.items[*].spec.containers[*].image}'

Check Version:

istioctl version

Verify Fix Applied:

Verify upgraded version and test authorization policies with fragment-containing requests

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests with # in URL path in Envoy access logs
  • Authorization policy denials for previously allowed paths

Network Indicators:

  • HTTP traffic with URL fragments to protected endpoints
  • Unexpected successful requests to restricted paths

SIEM Query:

source="istio-proxy" AND (url="*#*" OR status="200" AND path="*/protected/*")

📊 Metadata

CVE ID: CVE-2021-39156
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
CWE: CWE-863
Published: August 24, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-39156, you might also want to check these:

CVE-2023-4617 10.0

This vulnerability allows remote attackers to bypass authorization controls in the Govee Home mobile...

Same vulnerability type (CWE-863)
CVE-2025-54253 10.0

CVE-2025-54253 is a critical misconfiguration vulnerability in Adobe Experience Manager Forms that a...

Same vulnerability type (CWE-863)
CVE-2021-38503 10.0

This vulnerability allows malicious iframes to bypass sandbox restrictions when loading XSLT stylesh...

Same vulnerability type (CWE-863)