Insufficient Session Expiration in Kiali
High severity
GitHub Reviewed
Published
May 18, 2021
to the GitHub Advisory Database
•
Updated Jan 9, 2023
Package
Affected versions
>= 0.4.0, < 1.15.1
Patched versions
1.15.1
Description
Reviewed
May 18, 2021
Published to the GitHub Advisory Database
May 18, 2021
Last updated
Jan 9, 2023
An insufficient JWT validation vulnerability was found in Kiali versions 0.4.0 to 1.15.0 and was fixed in Kiali version 1.15.1, wherein a remote attacker could abuse this flaw by stealing a valid JWT cookie and using that to spoof a user session, possibly gaining privileges to view and alter the Istio configuration.
References