Base Score

HIGH8.6

CVE-2020-1762

An insufficient JWT validation vulnerability was found in Kiali versions 0.4.0 to 1.15.0 and was fixed in Kiali version 1.15.1, wherein a remote attacker could abuse this flaw by stealing a valid JWT cookie and using that to spoof a user session, possibly gaining privileges to view and alter the Istio configuration.

VectorNETWORK

Published Bysecalert@redhat.com

Published DateApr 27, 2020, 21:15

Affected Versions(1)

github.com/kiali/kiali(Go)

Introduced0.4.0

Fixed1.15.1

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
github.com/kiali/kiali(Go)	0.4.0	1.15.1	N/A

Weakness Type (CWE):CWE-384

CVSS Metrics

Base Score

8.6

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

LOW

Integrity (I)

LOW

Availability (A)

HIGH

References

Base Score

HIGH8.6

Weakness Type (CWE):CWE-384

CVSS Metrics

Base Score

8.6

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

LOW

Integrity (I)

LOW

Availability (A)

HIGH