Описание
Hard coded cryptographic key in Kiali
A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions prior to 1.15.1. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio configuration.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2020-1764
- https://github.com/kiali/kiali/commit/93f5cd0b6698e8fe8772afb8f35816f6c086aef1
- https://github.com/kiali/kiali/commit/ac7bd6c7ddb2e01356e21d360dd1c718a90706ad
- https://github.com/kiali/kiali/commit/ce48af57113c805a25179aaab1a0fac2fb93653f
- https://github.com/kiali/kiali/commit/faed1f5f90efae3df9fd6fb793f00ccc242b3a96
- https://bugzilla.redhat.com/show_bug.cgi?id=1810383
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1764
- https://github.com/jpts/cve-2020-1764-poc
- https://kiali.io/news/security-bulletins/kiali-security-001
Пакеты
github.com/kiali/kiali
< 1.15.1
1.15.1
Связанные уязвимости
A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions prior to 1.15.1. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio configuration.
A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions prior to 1.15.1. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio configuration.
Уязвимость консоли управления для сервисной сетки на основе Istio Kiali, связанная с использованием жестко закодированного ключа шифрования, позволяющая нарушителю повысить свои привилегии
ELSA-2020-5765: Unbreakable Enterprise kernel-container kata-image kata-runtime kata kubernetes kubernetes istio olcne security update (IMPORTANT)