CVE-2022-39388

LOW
Published Nov 10, 20223y ago · Modified Jun 17, 20261w ago
3.5 CVSS 3.1
Low
Find Similar
Published Nov 10, 2022 3y ago
Last Modified Jun 17, 2026 1w ago

Description

Istio is an open platform to connect, manage, and secure microservices. In versions on the 1.15.x branch prior to 1.15.3, a user can impersonate any workload identity within the service mesh if they have localhost access to the Istiod control plane. Version 1.15.3 contains a patch for this issue. There are no known workarounds.

CVSS Details

Base Score
3.5
Exploitability
2.1
Impact
1.4
Vector string
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector Adjacent
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity Low
Availability None

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-863 Incorrect Authorization Authorization

Affected Products 1

VendorProductVersionRange
istioistio*≥1.15.0  –  ≤1.15.2

References 4

  • github.com https://github.com/istio/istio/commit/346260e5115e9fbc65ba8a559bc686e6ca046a32
    PatchThird Party Advisory
  • github.com https://github.com/istio/istio/commit/9a643e270421560afb2630e00f76d46a55499df9
    PatchThird Party Advisory
  • github.com https://github.com/istio/istio/security/advisories/GHSA-6c6p-h79f-g6p4
    Third Party Advisory
  • istio.io https://istio.io/latest/news/releases/1.15.x/announcing-1.15.3/
    Release NotesVendor Advisory

Remediation

  • github.com https://github.com/istio/istio/commit/346260e5115e9fbc65ba8a559bc686e6ca046a32
    PatchThird Party Advisory
  • github.com https://github.com/istio/istio/commit/9a643e270421560afb2630e00f76d46a55499df9
    PatchThird Party Advisory