{"id":"CVE-2022-24726","summary":"Unauthenticated control plane denial of service attack in Istio","details":"Istio is an open platform to connect, manage, and secure microservices. In affected versions the Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted message which results in the control plane crashing when the validating webhook for a cluster is exposed publicly. This endpoint is served over TLS port 15017, but does not require any authentication from the attacker. For simple installations, Istiod is typically only reachable from within the cluster, limiting the blast radius. However, for some deployments, especially [external istiod](https://istio.io/latest/docs/setup/install/external-controlplane/) topologies, this port is exposed over the public internet. This issue has been patched in versions 1.13.2, 1.12.5 and 1.11.8. Users are advised to upgrade. Users unable to upgrade should disable access to a validating webhook that is exposed to the public internet or restrict the set of IP addresses that can query it to a set of known, trusted entities.","aliases":["GHSA-8w5h-qr4r-2h6g"],"modified":"2026-04-02T07:49:56.743101Z","published":"2022-03-10T20:45:12Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/24xxx/CVE-2022-24726.json","cwe_ids":["CWE-400"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/24xxx/CVE-2022-24726.json"},{"type":"ADVISORY","url":"https://github.com/istio/istio/security/advisories/GHSA-8w5h-qr4r-2h6g"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24726"},{"type":"REPORT","url":"https://github.com/golang/go/issues/51112"},{"type":"FIX","url":"https://github.com/istio/istio/commit/6ca5055a4db6695ef5504eabdfde3799f2ea91fd"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/golang/go","events":[{"introduced":"0"},{"last_affected":"f8a63418e985d972c86d3da5bf90b7e81b72b468"},{"fixed":"3a1b4e75f8b6c1b57db73bccf7ca871bf1a97ca9"},{"fixed":"72766093e6bd092eb18df3759055625ba8436484"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"\u003c 1.11.8,"},{"introduced":"1.12.0"},{"fixed":"1.12.5"},{"introduced":"1.13.0"},{"fixed":"1.13.2"}]}}],"versions":["go1","go1.0.1","go1.0.2","go1.0.3","go1.1","go1.1.1","go1.1.2","go1.10","go1.10.1","go1.10.2","go1.10.3","go1.10.4","go1.10.5","go1.10.6","go1.10.7","go1.10.8","go1.10beta1","go1.10beta2","go1.10rc1","go1.10rc2","go1.11","go1.11.1","go1.11.2","go1.11.3","go1.11.4","go1.11.5","go1.11.6","go1.11.7","go1.11.8","go1.11beta1","go1.11beta2","go1.11beta3","go1.11rc1","go1.11rc2","go1.12","go1.12.1","go1.12.2","go1.12.3","go1.12.4","go1.12beta1","go1.12beta2","go1.12rc1","go1.13","go1.13.1","go1.13beta1","go1.13rc1","go1.13rc2","go1.14","go1.14.1","go1.14.10","go1.14.11","go1.14.12","go1.14.13","go1.14.14","go1.14.15","go1.14.2","go1.14.3","go1.14.4","go1.14.5","go1.14.6","go1.14.7","go1.14.8","go1.14.9","go1.14beta1","go1.14rc1","go1.15","go1.15.1","go1.15.10","go1.15.11","go1.15.12","go1.15.13","go1.15.14","go1.15.15","go1.15.2","go1.15.3","go1.15.4","go1.15.5","go1.15.6","go1.15.7","go1.15.8","go1.15.9","go1.15beta1","go1.15rc1","go1.15rc2","go1.16","go1.16.1","go1.16.10","go1.16.11","go1.16.12","go1.16.13","go1.16.14","go1.16.15","go1.16.2","go1.16.3","go1.16.4","go1.16.5","go1.16.6","go1.16.7","go1.16.8","go1.16.9","go1.16beta1","go1.16rc1","go1.17","go1.17.1","go1.17.10","go1.17.11","go1.17.12","go1.17.13","go1.17.2","go1.17.3","go1.17.4","go1.17.5","go1.17.6","go1.17.7","go1.17.8","go1.17.9","go1.17beta1","go1.17rc1","go1.17rc2","go1.18","go1.18.1","go1.18.10","go1.18.2","go1.18.3","go1.18.4","go1.18.5","go1.18.6","go1.18.7","go1.18.8","go1.18.9","go1.18beta1","go1.18beta2","go1.18rc1","go1.19","go1.19.1","go1.19.10","go1.19.11","go1.19.12","go1.19.13","go1.19.2","go1.19.3","go1.19.4","go1.19.5","go1.19.6","go1.19.7","go1.19.8","go1.19.9","go1.19beta1","go1.19rc1","go1.19rc2","go1.1rc2","go1.1rc3","go1.2","go1.2.1","go1.2.2","go1.20","go1.20.1","go1.20.10","go1.20.11","go1.20.12","go1.20.13","go1.20.14","go1.20.2","go1.20.3","go1.20.4","go1.20.5","go1.20.6","go1.20.7","go1.20.8","go1.20.9","go1.20rc1","go1.20rc2","go1.20rc3","go1.21.0","go1.21.1","go1.21.10","go1.21.11","go1.21.12","go1.21.13","go1.21.2","go1.21.3","go1.21.4","go1.21.5","go1.21.6","go1.21.7","go1.21.8","go1.21.9","go1.21rc1","go1.21rc2","go1.21rc3","go1.21rc4","go1.22.0","go1.22.1","go1.22.10","go1.22.11","go1.22.12","go1.22.2","go1.22.3","go1.22.4","go1.22.5","go1.22.6","go1.22.7","go1.22.8","go1.22.9","go1.22rc1","go1.22rc2","go1.23.0","go1.23.1","go1.23.10","go1.23.11","go1.23.12","go1.23.2","go1.23.3","go1.23.4","go1.23.5","go1.23.6","go1.23.7","go1.23.8","go1.23.9","go1.23rc1","go1.23rc2","go1.24.0","go1.24.1","go1.24.10","go1.24.11","go1.24.12","go1.24.13","go1.24.2","go1.24.3","go1.24.4","go1.24.5","go1.24.6","go1.24.7","go1.24.8","go1.24.9","go1.24rc1","go1.24rc2","go1.24rc3","go1.25.0","go1.25.1","go1.25.2","go1.25.3","go1.25.4","go1.25.5","go1.25.6","go1.25.7","go1.25.8","go1.25rc1","go1.25rc2","go1.25rc3","go1.26.0","go1.26.1","go1.26rc1","go1.26rc2","go1.26rc3","go1.2rc2","go1.2rc3","go1.2rc4","go1.2rc5","go1.3","go1.3.1","go1.3.2","go1.3.3","go1.3beta1","go1.3beta2","go1.3rc1","go1.3rc2","go1.4","go1.4.1","go1.4.2","go1.4.3","go1.4beta1","go1.4rc1","go1.4rc2","go1.5","go1.5.1","go1.5.2","go1.5.3","go1.5.4","go1.5beta1","go1.5beta2","go1.5beta3","go1.5rc1","go1.6","go1.6.1","go1.6.2","go1.6.3","go1.6.4","go1.6beta1","go1.6beta2","go1.6rc1","go1.6rc2","go1.7","go1.7.1","go1.7.2","go1.7.3","go1.7.4","go1.7.5","go1.7.6","go1.7beta1","go1.7beta2","go1.7rc1","go1.7rc2","go1.7rc3","go1.7rc4","go1.7rc5","go1.7rc6","go1.8","go1.8.1","go1.8.2","go1.8.3","go1.8.4","go1.8.5","go1.8.5rc4","go1.8.5rc5","go1.8.6","go1.8.7","go1.8beta1","go1.8beta2","go1.8rc1","go1.8rc2","go1.8rc3","go1.9","go1.9.1","go1.9.2","go1.9.3","go1.9.4","go1.9.5","go1.9.6","go1.9.7","go1.9beta1","go1.9beta2","go1.9rc1","go1.9rc2","release.r56","release.r57","release.r57.1","release.r57.2","release.r58","release.r58.1","release.r58.2","release.r59","release.r60","release.r60.1","release.r60.2","release.r60.3","weekly","weekly.2009-11-06","weekly.2009-11-10","weekly.2009-11-10.1","weekly.2009-11-12","weekly.2009-11-17","weekly.2009-12-07","weekly.2009-12-09","weekly.2009-12-22","weekly.2010-01-05","weekly.2010-01-13","weekly.2010-01-27","weekly.2010-02-04","weekly.2010-02-17","weekly.2010-02-23","weekly.2010-03-04","weekly.2010-03-15","weekly.2010-03-22","weekly.2010-03-30","weekly.2010-04-13","weekly.2010-04-27","weekly.2010-05-04","weekly.2010-05-27","weekly.2010-06-09","weekly.2010-06-21","weekly.2010-07-01","weekly.2010-07-14","weekly.2010-07-29","weekly.2010-08-04","weekly.2010-08-11","weekly.2010-08-25","weekly.2010-09-06","weekly.2010-09-15","weekly.2010-09-22","weekly.2010-09-29","weekly.2010-10-13","weekly.2010-10-13.1","weekly.2010-10-20","weekly.2010-10-27","weekly.2010-11-02","weekly.2010-11-10","weekly.2010-11-23","weekly.2010-12-02","weekly.2010-12-08","weekly.2010-12-15","weekly.2010-12-15.1","weekly.2010-12-22","weekly.2011-01-06","weekly.2011-01-12","weekly.2011-01-19","weekly.2011-01-20","weekly.2011-02-01","weekly.2011-02-01.1","weekly.2011-02-15","weekly.2011-02-24","weekly.2011-03-07","weekly.2011-03-07.1","weekly.2011-03-15","weekly.2011-03-28","weekly.2011-04-04","weekly.2011-04-13","weekly.2011-04-27","weekly.2011-05-22","weekly.2011-06-02","weekly.2011-06-09","weekly.2011-06-16","weekly.2011-06-23","weekly.2011-07-07","weekly.2011-07-19","weekly.2011-07-29","weekly.2011-08-10","weekly.2011-08-17","weekly.2011-09-01","weekly.2011-09-07","weekly.2011-09-16","weekly.2011-09-21","weekly.2011-10-06","weekly.2011-10-18","weekly.2011-10-25","weekly.2011-10-26","weekly.2011-11-01","weekly.2011-11-02","weekly.2011-11-08","weekly.2011-11-09","weekly.2011-11-18","weekly.2011-12-01","weekly.2011-12-02","weekly.2011-12-06","weekly.2011-12-14","weekly.2011-12-22","weekly.2012-01-15","weekly.2012-01-20","weekly.2012-01-27","weekly.2012-02-07","weekly.2012-02-14","weekly.2012-02-22","weekly.2012-03-04","weekly.2012-03-13","weekly.2012-03-22","weekly.2012-03-27"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-24726.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/istio/istio","events":[{"introduced":"0"},{"fixed":"0093844b8a85b322be6fe1ca45108190323dba53"},{"introduced":"016bc46f4a5e0ef3fa135b3c5380ab7765467c1a"},{"fixed":"6332f0901f96ca97cf114d57b466d4bcd055b08c"},{"introduced":"75ee7514615d3a642a7eabaa0ad7c22cea1a1ed0"},{"fixed":"91533d04e894ff86b80acd6d7a4517b144f9e19a"},{"fixed":"6ca5055a4db6695ef5504eabdfde3799f2ea91fd"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.11.8"},{"introduced":"1.12.0"},{"fixed":"1.12.5"},{"introduced":"1.13.0"},{"fixed":"1.13.2"}]}}],"versions":["0.1.0","0.1.1","0.1.2","0.1.3","0.1.4","0.1.5","0.1.6","0.2.0","0.2.1","0.2.10","0.2.11","0.2.12","0.2.2","0.2.4","0.2.6","0.2.7","0.2.9","0.3.0","0.4.0","0.5.0","0.5.1","0.6.0","0.7.0","0.7.1","0.8.0","1.0.0","1.0.0-snapshot.0","1.0.0-snapshot.1","1.0.0-snapshot.2","1.0.1","1.0.2","1.0.3","1.0.4","1.0.5","1.0.6","1.0.7","1.0.8","1.0.9","1.1.0","1.1.0-rc.0","1.1.0-rc.1","1.1.0-rc.2","1.1.0-rc.3","1.1.0-rc.4","1.1.0-rc.5","1.1.0-rc.6","1.1.0-snapshot.2","1.1.0-snapshot.3","1.1.0-snapshot.4","1.1.0-snapshot.5","1.1.0-snapshot.6","1.1.0.snapshot.0","1.1.0.snapshot.1","1.1.1","1.1.10","1.1.11","1.1.12","1.1.13","1.1.14","1.1.15","1.1.16","1.1.17","1.1.2","1.1.3","1.1.4","1.1.5","1.1.6","1.1.7","1.1.8","1.1.9","1.10.0","1.10.0-alpha.0","1.10.0-alpha.1","1.10.0-rc.0","1.10.0-rc.1","1.10.1","1.10.2","1.10.3","1.10.4","1.10.5","1.10.6","1.11.0","1.11.0-beta.0","1.11.0-beta.1","1.11.0-beta.2","1.11.0-beta.3","1.11.0-rc.1","1.11.0-rc.2","1.11.0-rc.3","1.11.0-rc.4","1.11.1","1.11.2","1.11.3","1.11.4","1.11.5","1.11.6","1.11.7","1.12.0","1.12.0-alpha.0","1.12.0-alpha.1","1.12.0-alpha.5","1.12.0-beta.0","1.12.0-beta.1","1.12.0-beta.2","1.12.0-rc.1","1.12.1","1.12.2","1.12.3","1.12.4","1.13.0","1.13.0-beta.0","1.13.0-beta.1","1.13.1","1.14.0","1.14.0-alpha.0","1.14.0-beta.0","1.14.0-beta.1","1.14.1","1.14.2","1.14.3","1.14.4","1.14.5","1.14.6","1.15-beta.0","1.15.0","1.15.0-beta.0","1.15.0-beta.1","1.15.0-rc.0","1.15.1","1.15.2","1.15.3","1.15.4","1.15.5","1.15.6","1.15.7","1.16.0","1.16.0-beta.0","1.16.0-beta.1","1.16.0-beta.2","1.16.0-rc.0","1.16.1","1.16.2","1.16.3","1.16.4","1.16.5","1.16.6","1.16.7","1.17.0","1.17.0-beta.0","1.17.0-beta.1","1.17.0-beta.2","1.17.0-rc.0","1.17.1","1.17.2","1.17.3","1.17.4","1.17.5","1.17.6","1.17.8","1.18.0","1.18.0-alpha.0","1.18.0-beta.0","1.18.0-beta.1","1.18.0-rc.0","1.18.1","1.18.2","1.18.3","1.18.5","1.18.6","1.18.7","1.19.0","1.19.0-alpha.0","1.19.0-alpha.1","1.19.0-beta.0","1.19.0-beta.1","1.19.0-rc.0","1.19.1","1.19.10","1.19.3","1.19.4","1.19.5","1.19.6","1.19.7","1.19.8","1.19.9","1.2.0","1.2.0-rc.0","1.2.0-rc.1","1.2.0-rc.2","1.2.0-rc.3","1.2.1","1.2.10","1.2.2","1.2.3","1.2.4","1.2.5","1.2.6","1.2.7","1.2.8","1.2.9","1.20.0","1.20.0-beta.0","1.20.0-rc.0","1.20.1","1.20.2","1.20.3","1.20.4","1.20.5","1.20.6","1.20.7","1.20.8","1.21.0","1.21.0-beta.0","1.21.0-beta.1","1.21.0-rc.0","1.21.0-rc.1","1.21.1","1.21.2","1.21.3","1.21.4","1.21.5","1.21.6","1.22.0","1.22.0-alpha.1","1.22.0-beta.0","1.22.0-beta.1","1.22.0-rc.0","1.22.1","1.22.2","1.22.3","1.22.4","1.22.5","1.22.6","1.22.7","1.22.8","1.23.0","1.23.0-alpha.0","1.23.0-rc.0","1.23.0-rc.1","1.23.1","1.23.2","1.23.3","1.23.4","1.23.5","1.23.6","1.24.0","1.24.0-alpha.0","1.24.0-rc.0","1.24.1","1.24.2","1.24.3","1.24.4","1.24.5","1.24.6","1.25.0","1.25.0-alpha.0","1.25.0-rc.0","1.25.0-rc.1","1.25.1","1.25.2","1.25.3","1.25.4","1.25.5","1.26.0","1.26.0-alpha.0","1.26.0-beta.0","1.26.0-rc.0","1.26.1","1.26.2","1.26.3","1.26.4","1.26.5","1.26.6","1.26.7","1.26.8","1.27.0","1.27.0-beta.0","1.27.0-rc.0","1.27.1","1.27.2","1.27.3","1.27.4","1.27.5","1.27.6","1.27.7","1.27.8","1.28.0","1.28.0-alpha.0","1.28.0-beta.0","1.28.0-beta.1","1.28.0-rc.0","1.28.0-rc.1","1.28.1","1.28.2","1.28.3","1.28.4","1.28.5","1.29.0","1.29.0-alpha.0","1.29.0-beta.0","1.29.0-rc.0","1.29.0-rc.1","1.29.0-rc.2","1.29.0-rc.3","1.29.1","1.3.0","1.3.0-rc.0","1.3.0-rc.1","1.3.0-rc.2","1.3.0-rc.3","1.3.1","1.3.2","1.3.3","1.3.4","1.3.5","1.3.6","1.3.7","1.3.8","1.4.0","1.4.0-beta.0","1.4.0-beta.1","1.4.0-beta.2","1.4.0-beta.3","1.4.0-beta.4","1.4.0-beta.5","1.4.1","1.4.10","1.4.2","1.4.3","1.4.4","1.4.5","1.4.6","1.4.7","1.4.8","1.4.9","1.5.0","1.5.0-alpha.0","1.5.0-beta.1","1.5.0-beta.2","1.5.0-beta.3","1.5.0-beta.4","1.5.0-beta.5","1.5.1","1.5.10","1.5.2","1.5.3","1.5.4","1.5.5","1.5.6","1.5.7","1.5.8","1.5.9","1.6.0","1.6.0-alpha.0","1.6.0-alpha.1","1.6.0-alpha.2","1.6.0-beta.0","1.6.0-beta.1","1.6.0-rc.0","1.6.0-rc.1","1.6.0-rc.2","1.6.1","1.6.10","1.6.11","1.6.12","1.6.13","1.6.14","1.6.2","1.6.3","1.6.4","1.6.5","1.6.6","1.6.7","1.6.8","1.6.9","1.7.0","1.7.0-alpha.0","1.7.0-alpha.1","1.7.0-alpha.2","1.7.0-beta.1","1.7.0-beta.2","1.7.0-rc.1","1.7.0-rc.2","1.7.0-rc.3","1.7.0-rc.4","1.7.1","1.7.2","1.7.3","1.7.4","1.7.5","1.7.6","1.7.7","1.7.8","1.8.0","1.8.0-alpha.0","1.8.0-alpha.2","1.8.0-rc.0","1.8.0-rc.1","1.8.1","1.8.2","1.8.3","1.8.4","1.8.5","1.8.6","1.9.0","1.9.0-beta.0","1.9.0-beta.1","1.9.0-rc.0","1.9.1","1.9.2","1.9.3","1.9.4","1.9.5","1.9.6","1.9.7","1.9.8","1.9.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-24726.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}