First published: Thu Mar 05 2020(Updated: )
A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions prior to 1.15.1. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio configuration.
Credit: secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
go/github.com/kiali/kiali | <1.15.1 | 1.15.1 |
redhat/kiali | <1.15.1 | 1.15.1 |
Kiali Kiali | <1.15.1 | |
Redhat Openshift Service Mesh | =1.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-1764 is a hard-coded cryptographic key vulnerability in the default configuration file found in Kiali.
The severity of CVE-2020-1764 is high with a CVSS score of 8.6.
CVE-2020-1764 allows a remote attacker to create their own JWT signed tokens and bypass Kiali authentication mechanisms, potentially gaining unauthorized privileges to view and alter data.
All versions of Kiali prior to 1.15.1 are affected by CVE-2020-1764.
To fix CVE-2020-1764, update Kiali to version 1.15.1 or higher.