Back to search
CVE-2021-20278
Published: May 28, 2021
Modified: Aug 3, 2024
PUBLISHED
Description
An authentication bypass vulnerability was found in Kiali in versions before 1.31.0 when the authentication strategy `OpenID` is used. When RBAC is enabled, Kiali assumes that some of the token validation is handled by the underlying cluster. When OpenID `implicit flow` is used with RBAC turned off, this token validation doesn't occur, and this allows a malicious user to bypass the authentication.
| Vendor | Product | Versions |
|---|---|---|
n/a | kiali | affected kiali 1.31.0 |
Weaknesses (CWE)
References
https://bugzilla.redhat.com/show_bug.cgi?id=1937171
x_refsource_MISC
https://kiali.io/news/security-bulletins/kiali-security-002/
x_refsource_MISC
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now