Keptn v1 reached EOL December 22, 2023. For more information see


Version 1.0

Revision Information

Revision Updated Reason
1.0 July 8, 2020 Initial Reason


Keptn installation 0.6.2 and older.

Note: This is not applicable if you have installed Keptn using --use-case=quality-gates or --ingress-install-option=reuse.


Keptn 0.6.2 and older versions are installing an outdated and potentially insecure version of Istio; Keptn 0.6.x installs Istio 1.3, Keptn 0.5.x installs Istio 1.2.

This vulnerability affects a 3rd-party component and is publicly known via the Istio security bulletins. There is reason to believe that it has been maliciously exploited in the past, as Istio is an often-targeted component in cloud application workloads.


CVSSv3.1 Rating: 9.0 (Very High)

CVSSv3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Considering that we are shipping an old version of Istio (1.2 or 1.3 resp.) and there are several vulnerabilities known (see ), we took the highest CVSS score that Istio has reported themselves, which is 9.0 (Very High). The attacks range from heap overflow, denial of service up to authentication policy bypass.



If you install Keptn, install the latest version of Istio first, then install Keptn using the --ingress-install-option=reuse flag.

How to identify whether vulnerability has been abused

As this affects a 3rd-party component, identification whether a vulnerability has been abused is documented on their website: