CVE-2020-1764 Information

Description

A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali all versions prior to 1.15.1. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms possibly gaining privileges to view and alter the Istio configuration.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

Reference

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1764 https://kiali.io/news/security-bulletins/kiali-security-001/

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

HIGH

Base Severity

8.6