x/vulndb: potential Go vuln in github.com/kiali/kiali/config: GHSA-64rh-r86q-75ff #631

julieqiu · 2022-08-01T18:19:00Z

In GitHub Security Advisory GHSA-64rh-r86q-75ff, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/kiali/kiali/config	1.16.0-snapshot.1	<= 1.16.0-snapshot.0

See doc/triage.md for instructions on how to triage this report.

packages:
  - package: github.com/kiali/kiali/config
    versions:
      - introduced: TODO (earliest fixed "1.16.0-snapshot.1", vuln range "<= 1.16.0-snapshot.0")
  - package: github.com/kiali/kiali
    versions:
      - fixed: 1.15.1
description: A hard-coded cryptographic key vulnerability in the default configuration
    file was found in Kiali, all versions prior to 1.15.1. A remote attacker could
    abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication
    mechanisms, possibly gaining privileges to view and alter the Istio configuration.
published: 2021-05-18T18:28:59Z
last_modified: 2021-05-18T18:28:59Z
cves:
  - CVE-2020-1764
ghsas:
  - GHSA-64rh-r86q-75ff
links:
    context:
      - https://github.com/advisories/GHSA-64rh-r86q-75ff

The text was updated successfully, but these errors were encountered:

rolandshoemaker · 2022-08-03T18:13:43Z

Vuln in tool.

gopherbot · 2024-06-14T19:54:59Z

Change https://go.dev/cl/592770 mentions this issue: data/reports: unexclude 50 reports

gopherbot · 2024-08-20T19:37:47Z

Change https://go.dev/cl/607222 mentions this issue: data/reports: unexclude 20 reports (20)

- data/reports/GO-2022-0609.yaml - data/reports/GO-2022-0611.yaml - data/reports/GO-2022-0612.yaml - data/reports/GO-2022-0615.yaml - data/reports/GO-2022-0616.yaml - data/reports/GO-2022-0617.yaml - data/reports/GO-2022-0618.yaml - data/reports/GO-2022-0620.yaml - data/reports/GO-2022-0622.yaml - data/reports/GO-2022-0623.yaml - data/reports/GO-2022-0625.yaml - data/reports/GO-2022-0626.yaml - data/reports/GO-2022-0630.yaml - data/reports/GO-2022-0631.yaml - data/reports/GO-2022-0632.yaml - data/reports/GO-2022-0634.yaml - data/reports/GO-2022-0636.yaml - data/reports/GO-2022-0638.yaml - data/reports/GO-2022-0640.yaml - data/reports/GO-2022-0641.yaml Updates #609 Updates #611 Updates #612 Updates #615 Updates #616 Updates #617 Updates #618 Updates #620 Updates #622 Updates #623 Updates #625 Updates #626 Updates #630 Updates #631 Updates #632 Updates #634 Updates #636 Updates #638 Updates #640 Updates #641 Change-Id: I9fc909832a7e4eb1d23e5eee482674e307e3ee5c Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/607222 Reviewed-by: Damien Neil <[email protected]> Auto-Submit: Tatiana Bradley <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]>

julieqiu assigned rolandshoemaker Aug 3, 2022

rolandshoemaker added the NotGoVuln label Aug 3, 2022

rolandshoemaker closed this as completed Aug 3, 2022

neild added excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. and removed NotGoVuln labels Aug 10, 2022

GoVulnBot mentioned this issue Sep 25, 2023

x/vulndb: potential Go vuln in github.com/kiali/kiali: GHSA-6f4m-j56w-55c3 #2075

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/kiali/kiali/config: GHSA-64rh-r86q-75ff #631

x/vulndb: potential Go vuln in github.com/kiali/kiali/config: GHSA-64rh-r86q-75ff #631

julieqiu commented Aug 1, 2022

rolandshoemaker commented Aug 3, 2022

gopherbot commented Jun 14, 2024

gopherbot commented Aug 20, 2024

x/vulndb: potential Go vuln in github.com/kiali/kiali/config: GHSA-64rh-r86q-75ff #631

x/vulndb: potential Go vuln in github.com/kiali/kiali/config: GHSA-64rh-r86q-75ff #631

Comments

julieqiu commented Aug 1, 2022

rolandshoemaker commented Aug 3, 2022

gopherbot commented Jun 14, 2024

gopherbot commented Aug 20, 2024