Skip to content

x/vulndb: potential Go vuln in github.com/istio/istio: CVE-2020-8595 #2306

New issue
New issue
Closed
Closed
x/vulndb: potential Go vuln in github.com/istio/istio: CVE-2020-8595#2306
Labels
excluded: LEGACY_FALSE_POSITIVE(DO NOT USE) Vulnerability marked as false positive before we introduced the triage process
@tatianab

Description

@tatianab
tatianab
opened on Nov 8, 2023

CVE-2020-8595 references github.com/istio/istio, which may be a Go module.

Description:
Istio versions 1.2.10 (End of Life) and prior, 1.3 through 1.3.7, and 1.4 through 1.4.3 allows authentication bypass. The Authentication Policy exact-path matching logic can allow unauthorized access to HTTP paths even if they are configured to be only accessed after presenting a valid JWT token. For example, an attacker can add a ? or # character to a URI that would otherwise satisfy an exact-path match.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/istio/istio
      vulnerable_at: 0.0.0-20231108040633-7df817a6ab40
      packages:
        - package: n/a
cves:
    - CVE-2020-8595
references:
    - fix: https://github.com/istio/istio/commits/master
    - web: https://istio.io/news/security/
    - web: https://access.redhat.com/errata/RHSA-2020:0477
    - web: https://access.redhat.com/security/cve/cve-2020-8595
    - web: https://istio.io/news/security/istio-security-2020-001/
    - web: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-8595

Metadata

Metadata

Assignees

No one assigned

    Labels

    excluded: LEGACY_FALSE_POSITIVE(DO NOT USE) Vulnerability marked as false positive before we introduced the triage process

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions