Описание
An insufficient JWT validation vulnerability was found in Kiali versions 0.4.0 to 1.15.0 and was fixed in Kiali version 1.15.1, wherein a remote attacker could abuse this flaw by stealing a valid JWT cookie and using that to spoof a user session, possibly gaining privileges to view and alter the Istio configuration.
Ссылки
- Issue TrackingThird Party Advisory
- MitigationVendor Advisory
- Issue TrackingThird Party Advisory
- MitigationVendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия от 0.4.0 (включая) до 1.15.1 (исключая)
cpe:2.3:a:kiali:kiali:*:*:*:*:*:*:*:*
Конфигурация 2
cpe:2.3:a:redhat:openshift_service_mesh:1.0:*:*:*:*:*:*:*
EPSS
Процентиль: 68%
0.00582
Низкий
7 High
CVSS3
8.6 High
CVSS3
7.5 High
CVSS2
Дефекты
CWE-384
CWE-384
Связанные уязвимости
CVSS3: 7
redhat
почти 6 лет назад
An insufficient JWT validation vulnerability was found in Kiali versions 0.4.0 to 1.15.0 and was fixed in Kiali version 1.15.1, wherein a remote attacker could abuse this flaw by stealing a valid JWT cookie and using that to spoof a user session, possibly gaining privileges to view and alter the Istio configuration.
EPSS
Процентиль: 68%
0.00582
Низкий
7 High
CVSS3
8.6 High
CVSS3
7.5 High
CVSS2
Дефекты
CWE-384
CWE-384