CVE-2020-1764

Exploit

EPSS 5.25%
Veröffentlicht 26.03.2020 13:15:13
Zuletzt bearbeitet 21.11.2024 05:11:20
Quelle secalert@redhat.com
Teams Watchlist Login
Unerledigt Login

A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions prior to 1.15.1. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio configuration.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 2 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Kiali ≫ Kiali Version < 1.15.1

Redhat ≫ Openshift Service Mesh Version1.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	5.25%	0.89

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.6	3.9	4.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P
secalert@redhat.com	8.6	3.9	4.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

CWE-321 Use of Hard-coded Cryptographic Key

The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.

CWE-798 Use of Hard-coded Credentials

The product contains hard-coded credentials, such as a password or cryptographic key.

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1764

Third Party Advisory

Issue Tracking

Mitigation

https://kiali.io/news/security-bulletins/kiali-security-001/

Vendor Advisory

Exploit

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2020-1764

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-1764

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-1764

EUVD