Описание
A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions prior to 1.15.1. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio configuration.
Ссылки
- Issue TrackingMitigationThird Party Advisory
- ExploitMitigationVendor Advisory
- Issue TrackingMitigationThird Party Advisory
- ExploitMitigationVendor Advisory
Уязвимые конфигурации
EPSS
8.6 High
CVSS3
7.5 High
CVSS2
Дефекты
Связанные уязвимости
A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions prior to 1.15.1. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio configuration.
Уязвимость консоли управления для сервисной сетки на основе Istio Kiali, связанная с использованием жестко закодированного ключа шифрования, позволяющая нарушителю повысить свои привилегии
ELSA-2020-5765: Unbreakable Enterprise kernel-container kata-image kata-runtime kata kubernetes kubernetes istio olcne security update (IMPORTANT)
EPSS
8.6 High
CVSS3
7.5 High
CVSS2