{"id":"CVE-2021-39156","details":"Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. Istio 1.11.0, 1.10.3 and below, and 1.9.7 and below contain a remotely exploitable vulnerability where an HTTP request with `#fragment` in the path may bypass Istio’s URI path based authorization policies. Patches are available in Istio 1.11.1, Istio 1.10.4 and Istio 1.9.8. As a work around a Lua filter may be written to normalize the path.","aliases":["GHSA-hqxw-mm44-gc4r"],"modified":"2026-04-10T04:37:00.359560Z","published":"2021-08-24T23:15:10.413Z","related":["CGA-j3x2-jrvx-g3j4","GHSA-hqxw-mm44-gc4r"],"references":[{"type":"ADVISORY","url":"https://github.com/istio/istio/security/advisories/GHSA-hqxw-mm44-gc4r"},{"type":"ADVISORY","url":"https://istio.io/latest/news/security/istio-security-2021-008"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/istio/istio","events":[{"introduced":"0"},{"fixed":"5336ff0f12bc093b728dac3a729b4b2bcbc3df65"},{"introduced":"d26cba7e341587453ffeb978f5cf6fbc32f346f8"},{"fixed":"61313778e0b785e401c696f5e92f47af069f96d0"},{"introduced":"57d639a4fd19ee8c3559b9a4032f91e4d23c6f14"},{"fixed":"ce6205d503e5c5e41af496ebbe01ece7dc6c3547"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.9.8"},{"introduced":"1.10.0"},{"fixed":"1.10.3"},{"introduced":"1.11.0"},{"fixed":"1.11.1"}]}}],"versions":["0.3.0","0.5.0","0.6.0","1.0.0-snapshot.0","1.1.0-snapshot.2","1.1.0.snapshot.0","1.1.0.snapshot.1","1.10.0","1.10.1","1.11.0-beta.0","1.11.0-beta.1","1.11.0-beta.2","1.11.0-beta.3","1.11.0-rc.1","1.11.0-rc.2","1.11.0-rc.3","1.11.0-rc.4","1.2.0-rc.0","1.2.0-rc.3","1.5.0-alpha.0","1.5.0-beta.1","1.5.0-beta.2","1.6.0-alpha.0","1.6.0-alpha.1","1.6.0-alpha.2","1.7.0-alpha.0","1.9.0","1.9.0-beta.0","1.9.0-beta.1","1.9.0-rc.0","1.9.1","1.9.2","1.9.4","1.9.7"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-39156.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}