CVE-2020-1764
kiali: JWT cookie uses default signing key
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions prior to 1.15.1. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio configuration.
Se detectó una vulnerabilidad de clave criptográfica embebida en el archivo de configuración predeterminado en Kiali, todas las versiones anteriores a 1.15.1. Un atacante remoto podría abusar de este fallo mediante la creación de sus propios tokens firmados JWT y omisión de los mecanismos de autenticación de Kiali, posiblemente obteniendo privilegios para visualizar y alterar la configuración de Istio.
A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio configuration.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-11-27 CVE Reserved
- 2020-03-26 CVE Published
- 2023-03-07 EPSS Updated
- 2024-08-04 CVE Updated
- 2024-08-04 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-321: Use of Hard-coded Cryptographic Key
- CWE-798: Use of Hard-coded Credentials
CAPEC
References (4)
URL | Tag | Source |
---|---|---|
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1764 | Issue Tracking |
URL | Date | SRC |
---|---|---|
https://kiali.io/news/security-bulletins/kiali-security-001 | 2024-08-04 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://access.redhat.com/security/cve/CVE-2020-1764 | 2020-03-25 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1810383 | 2020-03-25 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Kiali Search vendor "Kiali" | Kiali Search vendor "Kiali" for product "Kiali" | < 1.15.1 Search vendor "Kiali" for product "Kiali" and version " < 1.15.1" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Openshift Service Mesh Search vendor "Redhat" for product "Openshift Service Mesh" | 1.0 Search vendor "Redhat" for product "Openshift Service Mesh" and version "1.0" | - |
Affected
|