CVE-2020-1764 in Kiali and Red Hat Products
Published on March 26, 2020

A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions prior to 1.15.1. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio configuration.

NVD

Vulnerability Analysis

CVE-2020-1764 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and a high impact on availability.

Attack Vector:

NETWORK

Attack Complexity:

LOW

Privileges Required:

NONE

User Interaction:

NONE

Scope:

UNCHANGED

Confidentiality Impact:

LOW

Integrity Impact:

LOW

Availability Impact:

HIGH

Weakness Type

Use of Hard-coded Cryptographic Key

The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.

Products Associated with CVE-2020-1764

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2020-1764 are published in these products:

Kiali

Red Hat Openshift Service Mesh

Affected Versions

Red Hat kiali Version all Kiali versions prior to 1.15.1 is affected by CVE-2020-1764

Exploit Probability

EPSS

6.05%

Percentile

90.55%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.