CVE-2022-21679
CVE-2022-21679 is a medium-severity vulnerability in Istio with a CVSS 3.x base score of 6.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-670.
Key facts
- Severity: Medium (CVSS 3.x base score 6.8)
- CVSS v2: 7.5
- EPSS exploit prediction: 1% (61st percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-670
- Affected product: Istio
- Published:
- Last modified:
Description
Istio is an open platform to connect, manage, and secure microservices. In Istio 1.12.0 and 1.12.1 The authorization policy with hosts and notHosts might be accidentally bypassed for ALLOW action or rejected unexpectedly for DENY action during the upgrade from 1.11 to 1.12.0/1.12.1. Istio 1.12 supports the hosts and notHosts fields in authorization policy with a new Envoy API shipped with the 1.12 data plane. A bug in the 1.12.0 and 1.12.1 incorrectly uses the new Envoy API with the 1.11 data plane. This will cause the hosts and notHosts fields to be always matched regardless of the actual value of the host header when mixing 1.12.0/1.12.1 control plane and 1.11 data plane. Users are advised to upgrade or to not mix the 1.12.0/1.12.1 control plane with 1.11 data plane if using hosts or notHosts field in authorization policy.
Frequently asked questions
- What is CVE-2022-21679?
- Istio is an open platform to connect, manage, and secure microservices. In Istio 1.12.0 and 1.12.1 The authorization policy with hosts and notHosts might be accidentally bypassed for ALLOW action or rejected unexpectedly for DENY action during the upgrade from 1.11 to 1.12.0/1.12.1. Istio 1.12 supports the hosts and notHosts fields in authorization policy with a new Envoy API shipped with the 1.12 data plane. A bug in the 1.12.0 and 1.12.1 incorrectly uses the new Envoy API with the 1.11 data plane. This will cause the hosts and notHosts fields to be always matched regardless of the actual value of the host header when mixing 1.12.0/1.12.1 control plane and 1.11 data plane. Users are advised to upgrade or to not mix the 1.12.0/1.12.1 control plane with 1.11 data plane if using hosts or notHosts field in authorization policy.
- How severe is CVE-2022-21679?
- CVE-2022-21679 has a CVSS 3.x base score of 6.8, rated medium severity. It is exploitable over network with high attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability none.
- Is CVE-2022-21679 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (61st percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2022-21679?
- CVE-2022-21679 primarily affects Istio. In total, 9 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2022-21679?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2022-21679 published?
- CVE-2022-21679 was published on 2022-01-19 and last updated on 2026-06-17.
References
- https://github.com/istio/istio/security/advisories/GHSA-rwfr-xrvw-2rvv
- https://istio.io/latest/news/releases/1.12.x/announcing-1.12.2/
Affected products (9)
- cpe:2.3:a:istio:istio:1.12.0:-:*:*:*:*:*:*
- cpe:2.3:a:istio:istio:1.12.0:alpha0:*:*:*:*:*:*
- cpe:2.3:a:istio:istio:1.12.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:istio:istio:1.12.0:alpha5:*:*:*:*:*:*
- cpe:2.3:a:istio:istio:1.12.0:beta0:*:*:*:*:*:*
- cpe:2.3:a:istio:istio:1.12.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:istio:istio:1.12.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:istio:istio:1.12.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:istio:istio:1.12.1:*:*:*:*:*:*:*
More vulnerabilities in Istio
- CVE-2021-31921 — Critical (CVSS 9.8): Istio before 1.8.6 and 1.9.x before 1.9.5 contains a remotely exploitable vulnerability where an external client can…
- CVE-2021-34824 — High (CVSS 8.8): Istio (1.8.x, 1.9.0-1.9.5 and 1.10.0-1.10.1) contains a remotely exploitable vulnerability where credentials specified…
- CVE-2021-39155 — High (CVSS 8.3): Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across…
- CVE-2021-39156 — High (CVSS 8.1): Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across…
- CVE-2022-39388 — High (CVSS 7.6): Istio is an open platform to connect, manage, and secure microservices. In versions on the 1.15.x branch prior to…
- CVE-2026-31837 — High (CVSS 7.5): Istio is an open platform to connect, manage, and secure microservices. Prior to 1.29.1, 1.28.5, and 1.27.8, a user of…
Other CWE-670 vulnerabilities
- CVE-2025-43359 — Critical (CVSS 9.8): A logic issue was addressed with improved state management. This issue is fixed in iOS 18.7 and iPadOS 18.7, iOS 26 and…
- CVE-2022-25745 — Critical (CVSS 9.8): Memory corruption in modem due to improper input validation while handling the incoming CoAP message
- CVE-2020-1914 — Critical (CVSS 9.8): A logic vulnerability when handling the SaveGeneratorLong instruction in Facebook Hermes prior to commit…
- CVE-2020-17466 — Critical (CVSS 9.8): Turcom TRCwifiZone through 2020-08-10 allows authentication bypass by visiting manage/control.php and ignoring 302…
- CVE-2019-17192 — Critical (CVSS 9.8): The WebRTC component in the Signal Private Messenger application through 4.47.7 for Android processes videoconferencing…
- CVE-2026-55276 — Critical (CVSS 9.1): Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat meant that special roles and empty…