ISTIO-SECURITY-2020-001
Authentication Policy bypass.
Disclosure Details | |
---|---|
CVE(s) | CVE-2020-8595 |
CVSS Impact Score | 9.0 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H |
Affected Releases | 1.3 to 1.3.7 1.4 to 1.4.3 |
Istio 1.3 to 1.3.7 and 1.4 to 1.4.3 are vulnerable to a newly discovered vulnerability affecting Authentication Policy:
- CVE-2020-8595: A bug in Istio’s Authentication Policy exact path matching logic allows unauthorized access to resources without a valid JWT token. This bug affects all versions of Istio that support JWT Authentication Policy with path based trigger rules. The logic for the exact path match in the Istio JWT filter includes query strings or fragments instead of stripping them off before matching. This means attackers can bypass the JWT validation by appending
?
or#
characters after the protected paths.
Mitigation
- For Istio 1.3.x deployments: update to Istio 1.3.8 or later.
- For Istio 1.4.x deployments: update to Istio 1.4.4 or later.
Credit
The Istio team would like to thank Aspen Mesh for the original bug report and code fix of CVE-2020-8595.
Reporting vulnerabilities
We’d like to remind our community to follow the vulnerability reporting process to report any bug that can result in a security vulnerability.