CVE Vulnerabilities

CVE-2020-1762

Session Fixation

Published: Apr 27, 2020 | Modified: Nov 07, 2023
CVSS 3.x
8.6
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
CVSS 2.x
7.5 HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
7 MODERATE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H
Ubuntu

An insufficient JWT validation vulnerability was found in Kiali versions 0.4.0 to 1.15.0 and was fixed in Kiali version 1.15.1, wherein a remote attacker could abuse this flaw by stealing a valid JWT cookie and using that to spoof a user session, possibly gaining privileges to view and alter the Istio configuration.

Weakness

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

Affected Software

Name Vendor Start Version End Version
Kiali Kiali 0.4.0 (including) 1.15.1 (excluding)
Openshift Service Mesh 1.0 RedHat jaeger-0:v1.13.1.redhat6-1.el7 *
Openshift Service Mesh 1.0 RedHat kiali-0:v1.0.10.redhat1-1.el7 *

Extended Description

Such a scenario is commonly observed when:

Potential Mitigations

References