CVE-2020-1764: 
Wolfi vulnerability analysis and mitigation

CVE-2020-1764 is a hard-coded cryptographic key vulnerability discovered in Kiali, affecting all versions prior to 1.15.1. The vulnerability was disclosed on March 25, 2020. The issue exists in the default configuration file where a hard-coded signing key for JWT cookies is known in the source code (NVD, Kiali Security).

The vulnerability has a CVSS v3.1 base score of 8.6 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H. The issue stems from the use of a default signing key for JWT (JSON Web Token) cookies that is publicly known through the source code, allowing attackers to forge authentication tokens (NVD, Red Hat Bugzilla).

If exploited, an attacker can perform all Kiali admin functions via the API, including viewing pod logs, accessing Istio metrics and tracing, altering Istio routing configurations, and modifying pod availability. This could lead to denial of service by preventing traffic from reaching pods or manipulating traffic distribution (Red Hat Bugzilla).

The primary mitigation is to upgrade to Kiali version 1.15.1 or later. For users unable to upgrade, a workaround involves setting a secure signing key when deploying Kiali. This can be done through the Kiali operator or via Istio helm charts/istioctl command by generating and applying a random signing key (Kiali Security).

The vulnerability was acknowledged by Red Hat, who released security advisory RHSA-2020:0975 to address the issue in OpenShift Service Mesh 1.0. The discovery was credited to Dagan Henderson of Akoya, LLC (Red Hat Advisory).