CVE-2020-1764

Exploit

EPSS 5.25%
Published 26.03.2020 13:15:13
Last modified 21.11.2024 05:11:20
Source secalert@redhat.com
Teams watchlist Login
Open Login

A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions prior to 1.15.1. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio configuration.

Affected products Warnungen 0 Metrics 4 CWE 2 References 5

Data is provided by the National Vulnerability Database (NVD)

Kiali ≫ Kiali Version < 1.15.1

Redhat ≫ Openshift Service Mesh Version1.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	5.25%	0.89

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.6	3.9	4.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P
secalert@redhat.com	8.6	3.9	4.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

CWE-321 Use of Hard-coded Cryptographic Key

The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.

CWE-798 Use of Hard-coded Credentials

The product contains hard-coded credentials, such as a password or cryptographic key.

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1764

Third Party Advisory

Issue Tracking

Mitigation

https://kiali.io/news/security-bulletins/kiali-security-001/

Vendor Advisory

Exploit

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2020-1764

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-1764

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-1764

EUVD