Lucene search

RedhatCVE-2020-1764

HistoryMar 26, 2020 - 1:15 p.m.

CVE-2020-1764

2020-03-2613:15:13

CWE-798

CWE-321

redhat

web.nvd.nist.gov

cve-2020-1764

hard-coded cryptographic key

kiali

jwt signed tokens

kiali authentication

istio configuration

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

8.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

AI Score

8.5

Confidence

High

EPSS

0.002

Percentile

59.1%

JSON

A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions prior to 1.15.1. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio configuration.

Affected configurations

Nvd

Vulners

Node

kialikialiRange<1.15.1

Node

redhatopenshift_service_meshMatch1.0

VendorProductVersionCPE
kialikiali*cpe:2.3:a:kiali:kiali:*:*:*:*:*:*:*:*
redhatopenshift_service_mesh1.0cpe:2.3:a:redhat:openshift_service_mesh:1.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
kiali	kiali	*	cpe:2.3:a:kiali:kiali::::::::
redhat	openshift_service_mesh	1.0	cpe:2.3:a:redhat:openshift_service_mesh:1.0:::::::*

CNA Affected

[
  {
    "product": "kiali",
    "vendor": "Red Hat",
    "versions": [
      {
        "status": "affected",
        "version": "all Kiali versions prior to 1.15.1"
      }
    ]
  }
]