VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-y6fg-pbc5-4udu

Essentials
Severities (42)
References (11)
Severity details (15)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-y6fg-pbc5-4udu
Aliases	CVE-2022-23635 GHSA-856q-xv3c-7f2f
Summary	Unauthenticated control plane denial of service attack in Istio ### Impact The Istio control plane, `istiod`, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted message which results in the control plane crashing. This endpoint is served over TLS port 15012, but does not require any authentication from the attacker. For simple installations, Istiod is typically only reachable from within the cluster, limiting the blast radius. However, for some deployments, especially [multicluster](https://istio.io/latest/docs/setup/install/multicluster/primary-remote/) topologies, this port is exposed over the public internet. ### Patches - Istio 1.13.1 and above - Istio 1.12.4 and above - Istio 1.11.7 and above ### Workarounds There are no effective workarounds, beyond upgrading. Limiting network access to Istiod to the minimal set of clients can help lessen the scope of the vulnerability to some extent. ### References More details can be found in the [Istio Security Bulletin](https://istio.io/latest/news/security/istio-security-2022-003) ### For more information If you have any questions or comments about this advisory, please email us at [istio-security-vulnerability-reports@googlegroups.com](mailto:istio-security-vulnerability-reports@googlegroups.com)
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (2)

CWE-1284	Improper Validation of Specified Quantity in Input
CWE-287	Improper Authentication

System	Score	Found at
cvssv3	7.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23635.json
epss	0.00648	https://api.first.org/data/v1/epss?cve=CVE-2022-23635
epss	0.00648	https://api.first.org/data/v1/epss?cve=CVE-2022-23635
epss	0.00648	https://api.first.org/data/v1/epss?cve=CVE-2022-23635
epss	0.00648	https://api.first.org/data/v1/epss?cve=CVE-2022-23635
epss	0.00648	https://api.first.org/data/v1/epss?cve=CVE-2022-23635
epss	0.00648	https://api.first.org/data/v1/epss?cve=CVE-2022-23635
epss	0.00648	https://api.first.org/data/v1/epss?cve=CVE-2022-23635
epss	0.00648	https://api.first.org/data/v1/epss?cve=CVE-2022-23635
epss	0.00648	https://api.first.org/data/v1/epss?cve=CVE-2022-23635
epss	0.00648	https://api.first.org/data/v1/epss?cve=CVE-2022-23635
epss	0.00648	https://api.first.org/data/v1/epss?cve=CVE-2022-23635
epss	0.00648	https://api.first.org/data/v1/epss?cve=CVE-2022-23635
epss	0.00648	https://api.first.org/data/v1/epss?cve=CVE-2022-23635
epss	0.00648	https://api.first.org/data/v1/epss?cve=CVE-2022-23635
epss	0.00648	https://api.first.org/data/v1/epss?cve=CVE-2022-23635
epss	0.00648	https://api.first.org/data/v1/epss?cve=CVE-2022-23635
epss	0.00648	https://api.first.org/data/v1/epss?cve=CVE-2022-23635
epss	0.00648	https://api.first.org/data/v1/epss?cve=CVE-2022-23635
epss	0.00684	https://api.first.org/data/v1/epss?cve=CVE-2022-23635
epss	0.00684	https://api.first.org/data/v1/epss?cve=CVE-2022-23635
epss	0.00684	https://api.first.org/data/v1/epss?cve=CVE-2022-23635
epss	0.00684	https://api.first.org/data/v1/epss?cve=CVE-2022-23635
epss	0.00684	https://api.first.org/data/v1/epss?cve=CVE-2022-23635
epss	0.00684	https://api.first.org/data/v1/epss?cve=CVE-2022-23635
epss	0.00684	https://api.first.org/data/v1/epss?cve=CVE-2022-23635
epss	0.00684	https://api.first.org/data/v1/epss?cve=CVE-2022-23635
epss	0.00684	https://api.first.org/data/v1/epss?cve=CVE-2022-23635
cvssv3.1	7.5	https://github.com/istio/istio
generic_textual	HIGH	https://github.com/istio/istio
cvssv3.1	7.5	https://github.com/istio/istio/commit/5f3b5ed958ae75156f8656fe7b3794f78e94db84
generic_textual	HIGH	https://github.com/istio/istio/commit/5f3b5ed958ae75156f8656fe7b3794f78e94db84
ssvc	Track	https://github.com/istio/istio/commit/5f3b5ed958ae75156f8656fe7b3794f78e94db84
cvssv3.1	7.5	https://github.com/istio/istio/security/advisories/GHSA-856q-xv3c-7f2f
generic_textual	HIGH	https://github.com/istio/istio/security/advisories/GHSA-856q-xv3c-7f2f
ssvc	Track	https://github.com/istio/istio/security/advisories/GHSA-856q-xv3c-7f2f
cvssv3.1	7.5	https://istio.io/latest/news/security/istio-security-2022-003
generic_textual	HIGH	https://istio.io/latest/news/security/istio-security-2022-003
ssvc	Track	https://istio.io/latest/news/security/istio-security-2022-003
cvssv2	5.0	https://nvd.nist.gov/vuln/detail/CVE-2022-23635
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2022-23635
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2022-23635

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23635.json
		https://api.first.org/data/v1/epss?cve=CVE-2022-23635
		https://github.com/istio/istio
		https://github.com/istio/istio/commit/5f3b5ed958ae75156f8656fe7b3794f78e94db84
		https://github.com/istio/istio/security/advisories/GHSA-856q-xv3c-7f2f
		https://istio.io/latest/news/security/istio-security-2022-003
		https://nvd.nist.gov/vuln/detail/CVE-2022-23635
2057277		https://bugzilla.redhat.com/show_bug.cgi?id=2057277
cpe:2.3:a:istio:istio::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:istio:istio::::::::
RHSA-2022:1275		https://access.redhat.com/errata/RHSA-2022:1275
RHSA-2022:1276		https://access.redhat.com/errata/RHSA-2022:1276

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23635.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/istio/istio

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/istio/istio/commit/5f3b5ed958ae75156f8656fe7b3794f78e94db84

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:57:30Z/ Found at https://github.com/istio/istio/commit/5f3b5ed958ae75156f8656fe7b3794f78e94db84

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/istio/istio/security/advisories/GHSA-856q-xv3c-7f2f

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:57:30Z/ Found at https://github.com/istio/istio/security/advisories/GHSA-856q-xv3c-7f2f

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://istio.io/latest/news/security/istio-security-2022-003

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:57:30Z/ Found at https://istio.io/latest/news/security/istio-security-2022-003

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2022-23635

Exploitability (E)	Access Vector (AV)	Access Complexity (AC)	Authentication (Au)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
high functional unproven proof_of_concept not_defined	local adjacent_network network	high medium low	multiple single none	none partial complete	none partial complete	none partial complete

Exploitability (E)

Access Vector (AV)

Access Complexity (AC)

Authentication (Au)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

partial

complete

none

partial

complete

none

partial

complete

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-23635

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.69863
EPSS Score	0.00648
Published At	July 30, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-31T09:02:21.558657+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-856q-xv3c-7f2f/GHSA-856q-xv3c-7f2f.json	37.0.0