CVE-2020-8595: Improper Authentication

February 12, 2020 (updated February 20, 2020)

The Authentication Policy exact-path matching logic can allow unauthorized access to HTTP paths even if they are configured to be only accessed after presenting a valid JWT token. For example, an attacker can add a ? or # character to a URI that would otherwise satisfy an exact-path match.

References

bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-8595
istio.io/news/security/
istio.io/news/security/istio-security-2020-001/
nvd.nist.gov/vuln/detail/CVE-2020-8595

Code Behaviors & Features

Detect and mitigate CVE-2020-8595 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →