{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "cpe": "cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*",
            "extracted_events": [
              {
                "introduced": "1.3"
              },
              {
                "last_affected": "1.3.7"
              },
              {
                "introduced": "1.4.0"
              },
              {
                "last_affected": "1.4.3"
              }
            ],
            "source": "CPE_RANGE"
          },
          "events": [
            {
              "introduced": "c2bd59595ce699b31d0f931885f023028ff7902b"
            },
            {
              "last_affected": "23077869571812df7e888efdf1fb00c749f1cfcf"
            },
            {
              "introduced": "c4def934e4f8d1feb42725da41ee0078cde8397f"
            },
            {
              "last_affected": "17f6bfc3d7121ad527c2d617ffc27c758d6a7241"
            }
          ],
          "repo": "https://github.com/istio/istio",
          "type": "GIT"
        }
      ]
    }
  ],
  "database_specific": {
    "unresolved_ranges": [
      {
        "cpes": [
          "cpe:2.3:a:redhat:openshift_service_mesh:1.0:*:*:*:*:*:*:*"
        ],
        "extracted_events": [
          {
            "introduced": "1.0"
          },
          {
            "last_affected": "1.0"
          }
        ],
        "source": "CPE_STRING",
        "vendor_product": "redhat:openshift_service_mesh"
      }
    ]
  },
  "details": "Istio versions 1.2.10 (End of Life) and prior, 1.3 through 1.3.7, and 1.4 through 1.4.3 allows authentication bypass. The Authentication Policy exact-path matching logic can allow unauthorized access to HTTP paths even if they are configured to be only accessed after presenting a valid JWT token. For example, an attacker can add a ? or # character to a URI that would otherwise satisfy an exact-path match.",
  "id": "CVE-2020-8595",
  "modified": "2026-07-08T05:37:58.260004654Z",
  "published": "2020-02-12T15:15:14.727Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2020:0477"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/security/cve/cve-2020-8595"
    },
    {
      "type": "ADVISORY",
      "url": "https://istio.io/news/security/"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-8595"
    },
    {
      "type": "FIX",
      "url": "https://github.com/istio/istio/commits/master"
    },
    {
      "type": "FIX",
      "url": "https://istio.io/news/security/istio-security-2020-001/"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}