Vulnerabilities (CVE)

Filtered by vendor Kiali Subscribe
Filtered by product Kiali
Total 3 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-20278 1 Kiali 1 Kiali 2024-02-04 5.8 MEDIUM 6.5 MEDIUM
An authentication bypass vulnerability was found in Kiali in versions before 1.31.0 when the authentication strategy `OpenID` is used. When RBAC is enabled, Kiali assumes that some of the token validation is handled by the underlying cluster. When OpenID `implicit flow` is used with RBAC turned off, this token validation doesn't occur, and this allows a malicious user to bypass the authentication.
CVE-2020-1764 2 Kiali, Redhat 2 Kiali, Openshift Service Mesh 2024-02-04 7.5 HIGH 8.6 HIGH
A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions prior to 1.15.1. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio configuration.
CVE-2020-1762 2 Kiali, Redhat 2 Kiali, Openshift Service Mesh 2024-02-04 7.5 HIGH 8.6 HIGH
An insufficient JWT validation vulnerability was found in Kiali versions 0.4.0 to 1.15.0 and was fixed in Kiali version 1.15.1, wherein a remote attacker could abuse this flaw by stealing a valid JWT cookie and using that to spoof a user session, possibly gaining privileges to view and alter the Istio configuration.