CVE-2020-8595: 
Istio Control Plane (istiod) vulnerability analysis and mitigation

An unauthorized access vulnerability (CVE-2020-8595) was discovered in Istio versions 1.3 to 1.3.7 and 1.4 to 1.4.3. The vulnerability was disclosed on February 11, 2020, affecting Istio's Authentication Policy exact path matching logic. This flaw allows attackers to bypass JWT validation on protected HTTP paths (Istio Security).

The vulnerability exists in Istio's Authentication Policy exact path matching logic where the JWT filter includes query strings or fragments instead of stripping them off before matching. This implementation flaw means attackers can bypass the JWT validation by appending '?' or '#' characters after the protected paths. The vulnerability has a CVSS v3 base score of 9.0 (Critical) with vector AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H (Istio Security).

The vulnerability allows unauthorized access to HTTP paths that are configured to be only accessed with a valid JWT token. This means attackers could potentially access protected resources without proper authentication, compromising the security of the service mesh (Red Hat CVE).

Users are advised to update to patched versions: Istio 1.3.8 or later for 1.3.x deployments, and Istio 1.4.4 or later for 1.4.x deployments. As a temporary workaround, paths used in the exact match clause can be updated to use regex instead. For example, '/productpage' can be changed to regex: '/productpage(?.)?' and regex: '/productpage(#.)?' to properly handle query parameters and fragments (Bugzilla).

The vulnerability was originally reported by Aspen Mesh, who also provided the code fix. The Istio Product Security Committee acknowledged the finding and coordinated the disclosure (Istio Security).