CVE-2021-20278: Authentication Bypass by Spoofing

June 1, 2021 (updated June 3, 2021)

An authentication bypass vulnerability was found in Kiali in versions before 1.31.0 when the authentication strategy OpenID is used. When RBAC is enabled, Kiali assumes that some of the token validation is handled by the underlying cluster. When OpenID implicit flow is used with RBAC turned off, this token validation doesn’t occur, and this allows a malicious user to bypass the authentication.

References

github.com/advisories/GHSA-ggjr-2f7v-vhq4
nvd.nist.gov/vuln/detail/CVE-2021-20278

Code Behaviors & Features

Detect and mitigate CVE-2021-20278 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →