Published: 26/03/2020 Updated: 07/11/2023

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

CVSS v3 Base Score: 8.6 | Impact Score: 4.7 | Exploitability Score: 3.9

VMScore: 668

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions before 1.15.1. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio configuration.

Vulnerable Product	Search on Vulmon	Subscribe to Product
kiali kiali
redhat openshift service mesh 1.0

Synopsis Moderate: Red Hat OpenShift Service Mesh 1010 openshift-istio-kiali-rhel7-operator-container security update Type/Severity Security Advisory: Moderate Topic An update for openshift-istio-kiali-rhel7-operator-container is now available for Openshift Service Mesh 10Red Hat Product Security has ra ...

Auth Bypass PoC for Kiali

CVE-2020-1764 PoC Auth bypass PoC for Kiali 040 to 1150 using login auth strategy (Security Bulletin) check version: curl '<IP>/api check auth strategy: curl '<IP>/api/auth/info' go run /pocgo curl '<IP>/api/status' -H "Authorization: Bearer $JWT"

CWE-798 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1764 https://kiali.io/news/security-bulletins/kiali-security-001/https://access.redhat.com/errata/RHSA-2020:0975 https://nvd.nist.gov https://github.com/jpts/cve-2020-1764-poc

CVE-2020-1764

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Github Repositories

References

Vulmon Search

About

Products

Connect