x/vulndb: potential Go vuln in github.com/kiali/kiali: GHSA-ggjr-2f7v-vhq4 #700

GoVulnBot · 2022-08-01T19:01:05Z

In GitHub Security Advisory GHSA-ggjr-2f7v-vhq4, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/kiali/kiali	1.31.0	< 1.31.0

See doc/triage.md for instructions on how to triage this report.

packages:
  - package: github.com/kiali/kiali
    versions:
      - fixed: 1.31.0
description: An authentication bypass vulnerability was found in Kiali in versions
    before 1.31.0 when the authentication strategy `OpenID` is used. When RBAC is
    enabled, Kiali assumes that some of the token validation is handled by the underlying
    cluster. When OpenID `implicit flow` is used with RBAC turned off, this token
    validation doesn't occur, and this allows a malicious user to bypass the authentication.
published: 2021-06-01T21:57:08Z
last_modified: 2021-06-03T21:52:23Z
cves:
  - CVE-2021-20278
ghsas:
  - GHSA-ggjr-2f7v-vhq4
links:
    context:
      - https://github.com/advisories/GHSA-ggjr-2f7v-vhq4

The text was updated successfully, but these errors were encountered:

rolandshoemaker · 2022-08-03T17:48:39Z

Vuln in tool.

gopherbot · 2024-06-14T19:55:07Z

Change https://go.dev/cl/592770 mentions this issue: data/reports: unexclude 50 reports

gopherbot · 2024-08-20T19:37:21Z

Change https://go.dev/cl/607223 mentions this issue: data/reports: unexclude 20 reports (21)

- data/reports/GO-2022-0642.yaml - data/reports/GO-2022-0644.yaml - data/reports/GO-2022-0645.yaml - data/reports/GO-2022-0647.yaml - data/reports/GO-2022-0649.yaml - data/reports/GO-2022-0700.yaml - data/reports/GO-2022-0703.yaml - data/reports/GO-2022-0704.yaml - data/reports/GO-2022-0705.yaml - data/reports/GO-2022-0707.yaml - data/reports/GO-2022-0708.yaml - data/reports/GO-2022-0709.yaml - data/reports/GO-2022-0732.yaml - data/reports/GO-2022-0749.yaml - data/reports/GO-2022-0751.yaml - data/reports/GO-2022-0752.yaml - data/reports/GO-2022-0759.yaml - data/reports/GO-2022-0760.yaml - data/reports/GO-2022-0769.yaml - data/reports/GO-2022-0770.yaml Updates #642 Updates #644 Updates #645 Updates #647 Updates #649 Updates #700 Updates #703 Updates #704 Updates #705 Updates #707 Updates #708 Updates #709 Updates #732 Updates #749 Updates #751 Updates #752 Updates #759 Updates #760 Updates #769 Updates #770 Change-Id: I3dabcc907fd498009a9bd4cf865198037615717e Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/607223 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Damien Neil <dneil@google.com>

julieqiu assigned rolandshoemaker Aug 3, 2022

rolandshoemaker added the NotGoVuln label Aug 3, 2022

rolandshoemaker closed this as completed Aug 3, 2022

neild added excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. and removed NotGoVuln labels Aug 10, 2022

GoVulnBot mentioned this issue Sep 25, 2023

x/vulndb: potential Go vuln in github.com/kiali/kiali: GHSA-6f4m-j56w-55c3 #2075

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/kiali/kiali: GHSA-ggjr-2f7v-vhq4 #700

x/vulndb: potential Go vuln in github.com/kiali/kiali: GHSA-ggjr-2f7v-vhq4 #700

GoVulnBot commented Aug 1, 2022

rolandshoemaker commented Aug 3, 2022

gopherbot commented Jun 14, 2024

gopherbot commented Aug 20, 2024

x/vulndb: potential Go vuln in github.com/kiali/kiali: GHSA-ggjr-2f7v-vhq4 #700

x/vulndb: potential Go vuln in github.com/kiali/kiali: GHSA-ggjr-2f7v-vhq4 #700

Comments

GoVulnBot commented Aug 1, 2022

rolandshoemaker commented Aug 3, 2022

gopherbot commented Jun 14, 2024

gopherbot commented Aug 20, 2024