vulnerability
Arch Linux: Information disclosure (CVE-2021-34824)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:N/AC:L/Au:S/C:P/I:P/A:P) | Jun 29, 2021 | Jul 11, 2025 | Nov 27, 2025 |
Severity
7
CVSS
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
Published
Jun 29, 2021
Added
Jul 11, 2025
Modified
Nov 27, 2025
Description
Istio before version 1.10.2 contains a remotely exploitable vulnerability where credentials specified in the Gateway and DestinationRule credentialName field can be accessed from different namespaces.
The Istio Gateway and DestinationRule can load private keys and certificates from Kubernetes secrets via the credentialName configuration. For Istio 1.8 and above, the secrets are conveyed from Istiod to gateways or workloads via the XDS API.
In the above approach, a gateway or workload deployment should only be able to access credentials (TLS certificates and private keys) stored in the Kubernetes secrets within its namespace. However, a bug in Istiod permits an authorized client the ability to access and retrieve any TLS certificate and private key cached in Istiod.
The Istio Gateway and DestinationRule can load private keys and certificates from Kubernetes secrets via the credentialName configuration. For Istio 1.8 and above, the secrets are conveyed from Istiod to gateways or workloads via the XDS API.
In the above approach, a gateway or workload deployment should only be able to access credentials (TLS certificates and private keys) stored in the Kubernetes secrets within its namespace. However, a bug in Istiod permits an authorized client the ability to access and retrieve any TLS certificate and private key cached in Istiod.
Solution
arch-linux-upgrade-latest
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.