Istio before 1.8.6 and 1.9.x before 1.9.5 has a remotely exploitable vulnerability where an HTTP request path with multiple slashes or escaped slash characters (%2F or %5C) could potentially bypass an Istio authorization policy when path based authorization rules are used.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| istio.io/istio(Go) | 0 | 1.8.6 | N/A |
| istio.io/istio(Go) | 1.9.0 | 1.9.5 | N/A |
CVSS Metrics
