CVE-2021-39156: 
Istio Control Plane (istiod) vulnerability analysis and mitigation

A remotely exploitable vulnerability identified as CVE-2021-39156 was discovered in Istio where an HTTP request containing a #fragment in the path could bypass Istio's URI path-based authorization policies. The vulnerability affects all Istio versions prior to 1.9.8, versions 1.10.0 to 1.10.3, and version 1.11.0. This security issue was disclosed on August 24, 2021 (Istio Security, GitHub Advisory).

The vulnerability occurs when a request containing a URI fragment (a section at the end of a URI that begins with a # character) is processed. For example, if an Istio authorization policy denies requests to the URI path /user/profile, a request with URI path /user/profile#section1 would bypass the deny policy and route to the backend with the normalized URI path /user/profile%23section1. The vulnerability has been assigned a CVSS score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) (Istio Security).

The vulnerability could lead to unauthorized access to protected resources by bypassing Istio's URI path-based authorization policies. This affects organizations using authorization policies with DENY actions and operation.paths, or ALLOW actions and operation.notPaths (Istio Security).

The vulnerability has been patched in Istio versions 1.9.8, 1.10.4, and 1.11.1. The fix removes the fragment part of the request's URI before authorization and routing. Organizations can opt-out of this behavior by configuring their installation with the HTTP_STRIP_FRAGMENT_FROM_PATH_UNSAFE_IF_DISABLED proxy metadata set to 'false', though this is considered unsafe (Istio Security).