CVE-2020-1762

CWE-384 CWE-613 — Insufficient Session Expiration CWE-565 CWE-295 — Improper Certificate Validation7 documents6 sources

Severity

8.6HIGH

EPSS

0.6%

top 31.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Kiali/kiali Kiali Kiali [kiali] Kiali +1 more

Timeline

PublishedApr 27

Latest updateAug 21

Description

An insufficient JWT validation vulnerability was found in Kiali versions 0.4.0 to 1.15.0 and was fixed in Kiali version 1.15.1, wherein a remote attacker could abuse this flaw by stealing a valid JWT cookie and using that to spoof a user session, possibly gaining privileges to view and alter the Istio configuration.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:HExploitability: 2.2 | Impact: 4.7

Affected Packages4 packages

▶NVDkiali/kiali0.4.0 — 1.15.1

▶Gogithub.com/kiali/kiali0.4.0 — 1.15.1

▶CVEListV5[kiali]/kiali>= 0.4.0, < 1.15.1

▶NVDredhat/openshift_service_mesh1.0

🔴Vulnerability Details

OSV

Insufficient Session Expiration in Kiali in github.com/kiali/kiali↗2024-08-21

▶

OSV

Insufficient Session Expiration in Kiali↗2021-05-18

▶

GHSA

Insufficient Session Expiration in Kiali↗2021-05-18

▶

CVEList

CVE-2020-1762: An insufficient JWT validation vulnerability was found in Kiali versions 0↗2020-04-27

▶

📋Vendor Advisories

Red Hat

kiali: ignoring JWT claim fields↗2020-03-25

▶

💬Community

Bugzilla

CVE-2020-1762 kiali: ignoring JWT claim fields↗2020-03-05

▶