{"id":"CVE-2020-8595","details":"Istio versions 1.2.10 (End of Life) and prior, 1.3 through 1.3.7, and 1.4 through 1.4.3 allows authentication bypass. The Authentication Policy exact-path matching logic can allow unauthorized access to HTTP paths even if they are configured to be only accessed after presenting a valid JWT token. For example, an attacker can add a ? or # character to a URI that would otherwise satisfy an exact-path match.","modified":"2026-07-08T05:54:13.690205004Z","published":"2020-02-12T15:15:14.727Z","database_specific":{"unresolved_ranges":[{"vendor_product":"redhat:openshift_service_mesh","source":"CPE_STRING","cpes":["cpe:2.3:a:redhat:openshift_service_mesh:1.0:*:*:*:*:*:*:*"],"extracted_events":[{"introduced":"1.0"},{"last_affected":"1.0"}]}]},"references":[{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2020:0477"},{"type":"ADVISORY","url":"https://access.redhat.com/security/cve/cve-2020-8595"},{"type":"ADVISORY","url":"https://istio.io/news/security/"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-8595"},{"type":"FIX","url":"https://github.com/istio/istio/commits/master"},{"type":"FIX","url":"https://istio.io/news/security/istio-security-2020-001/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/istio/istio","events":[{"introduced":"c2bd59595ce699b31d0f931885f023028ff7902b"},{"last_affected":"23077869571812df7e888efdf1fb00c749f1cfcf"},{"introduced":"c4def934e4f8d1feb42725da41ee0078cde8397f"},{"last_affected":"17f6bfc3d7121ad527c2d617ffc27c758d6a7241"}],"database_specific":{"source":"CPE_RANGE","cpe":"cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"1.3"},{"last_affected":"1.3.7"},{"introduced":"1.4.0"},{"last_affected":"1.4.3"}]}}],"versions":["1.3.7","1.4.3","1.4.1","1.4.0","1.3.5","1.3.4","1.3.3","1.3.2","1.3.1","1.3.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-8595.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}]}