Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cveMitreCVE-2020-8595
HistoryFeb 12, 2020 - 3:15 p.m.

CVE-2020-8595

2020-02-1215:15:14
CWE-287
mitre
web.nvd.nist.gov
44
cve-2020-8595
istio
authentication bypass
exact-path matching logic
http paths
jwt token

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

7.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

AI Score

7.2

Confidence

High

EPSS

0.003

Percentile

71.5%

JSON

Istio versions 1.2.10 (End of Life) and prior, 1.3 through 1.3.7, and 1.4 through 1.4.3 allows authentication bypass. The Authentication Policy exact-path matching logic can allow unauthorized access to HTTP paths even if they are configured to be only accessed after presenting a valid JWT token. For example, an attacker can add a ? or # character to a URI that would otherwise satisfy an exact-path match.

Affected configurations

Nvd
Node
istioistioRange1.31.3.7
OR
istioistioRange1.4.01.4.3
Node
redhatenterprise_linuxMatch8.0
AND
redhatopenshift_service_meshMatch1.0
VendorProductVersionCPE
istioistio*cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*
redhatenterprise_linux8.0cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
redhatopenshift_service_mesh1.0cpe:2.3:a:redhat:openshift_service_mesh:1.0:*:*:*:*:*:*:*

Related

veracode 1
nvd 1
redhat 1
prion 1
osv 1
nessus 1
redhatcve 1
cvelist 1
veracode
veracode
Authentication Bypass
2020-02-13 06:03:50
nvd
nvd
CVE-2020-8595
2020-02-12 15:15:14
redhat
redhat
(RHSA-2020:0477) Important: Red Hat OpenShift Service Mesh 1.0.7 servicemesh-proxy security update
2020-02-12 00:00:14
prion
prion
Authentication flaw
2020-02-12 15:15:00
osv
osv
CVE-2020-8595
2020-02-12 15:15:14
nessus
nessus
RHEL 8 : Red Hat OpenShift Service Mesh 1.0.7 servicemesh-proxy (RHSA-2020:0477)
2020-02-13 00:00:00
redhatcve
redhatcve
CVE-2020-8595
2020-02-11 20:38:22
cvelist
cvelist
CVE-2020-8595
2020-02-12 14:10:15

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

7.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

AI Score

7.2

Confidence

High

EPSS

0.003

Percentile

71.5%

JSON
Related for CVE-2020-8595
veracode1nvd1redhat1prion1osv1nessus1redhatcve1cvelist1