CVE-2020-1764

A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions prior to 1.15.1. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio configuration.
References
Link Resource
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1764 Issue Tracking Mitigation Third Party Advisory
https://kiali.io/news/security-bulletins/kiali-security-001/ Exploit Mitigation Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:kiali:kiali:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:redhat:openshift_service_mesh:1.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-03-26 13:15

Updated : 2024-02-04 21:00


NVD link : CVE-2020-1764

Mitre link : CVE-2020-1764

CVE.ORG link : CVE-2020-1764


JSON object : View

Products Affected

kiali

  • kiali

redhat

  • openshift_service_mesh
CWE
CWE-798

Use of Hard-coded Credentials

CWE-321

Use of Hard-coded Cryptographic Key