Log in Get started

Back to Istio Io

ISTIO-SECURITY-2020-010

content/en/news/security/istio-security-2020-010/index.md

latest806 B

Original Source

{{< security_bulletin >}}

Envoy, and subsequently Istio, is vulnerable to a newly discovered vulnerability:

CVE-2020-25017: In some cases, Envoy only considers the first value when multiple headers are present. Also, Envoy does not replace all existing occurrences of a non-inline header.
- CVSS Score: 8.3 AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

Mitigation

For Istio 1.6.x deployments: update to Istio 1.6.11 or later.
For Istio 1.7.x deployments: update to Istio 1.7.3 or later.

{{< boilerplate "security-vulnerability" >}}