CVE-2020-1764

CWE-321 CWE-798 — Hard-coded Credentials7 documents6 sources

Severity

8.6HIGH

EPSS

6.1%

top 9.26%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Kiali/kiali Kiali Kiali RED HAT Kiali +1 more

Timeline

PublishedMar 26

Latest updateAug 21

Description

A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions prior to 1.15.1. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio configuration.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:HExploitability: 3.9 | Impact: 4.7

Affected Packages4 packages

▶NVDkiali/kiali< 1.15.1

▶Gogithub.com/kiali/kiali< 1.15.1

▶CVEListV5red_hat/kialiall Kiali versions prior to 1.15.1

▶NVDredhat/openshift_service_mesh1.0

🔴Vulnerability Details

OSV

Hard coded cryptographic key in Kiali in github.com/kiali/kiali↗2024-08-21

▶

OSV

Hard coded cryptographic key in Kiali↗2021-05-18

▶

GHSA

Hard coded cryptographic key in Kiali↗2021-05-18

▶

CVEList

CVE-2020-1764: A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions prior to 1↗2020-03-26

▶

📋Vendor Advisories

Red Hat

kiali: JWT cookie uses default signing key↗2020-03-25

▶

💬Community

Bugzilla

CVE-2020-1764 kiali: JWT cookie uses default signing key↗2020-03-05

▶