Hard-coded Cryptographic Key Vulnerability in Kiali Allows Unauthorized Access to Istio Configuration

Hard-coded Cryptographic Key Vulnerability in Kiali Allows Unauthorized Access to Istio Configuration

CVE-2020-1764 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions prior to 1.15.1. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio configuration.

Learn more about our Web Application Penetration Testing UK.