CVE-2020-8595

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2020-8595

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-8595.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2020-8595

Downstream

RHSA-2020:0477

Published

2020-02-12T15:15:14.727Z

Modified

2025-11-14T11:12:25.312488Z

Severity

7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator

Summary

[none]

Details

Istio versions 1.2.10 (End of Life) and prior, 1.3 through 1.3.7, and 1.4 through 1.4.3 allows authentication bypass. The Authentication Policy exact-path matching logic can allow unauthorized access to HTTP paths even if they are configured to be only accessed after presenting a valid JWT token. For example, an attacker can add a ? or # character to a URI that would otherwise satisfy an exact-path match.

References

Affected packages

Git / github.com/istio/istio

Affected ranges

Type: GIT
Repo: https://github.com/istio/istio
Events: Introduced

c4def934e4f8d1feb42725da41ee0078cde8397f

Last affected

17f6bfc3d7121ad527c2d617ffc27c758d6a7241

Introduced

c2bd59595ce699b31d0f931885f023028ff7902b

Last affected

23077869571812df7e888efdf1fb00c749f1cfcf

Last affected

3a136c90ec5e308f236e0d7ebb5c4c5e405217f4

Affected versions

1.*

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.3.5

1.3.7

1.4.0

1.4.1

1.4.3

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-8595.json"