CVE-2024-8901: 
Linux openSUSE vulnerability analysis and mitigation

The AWS ALB Route Directive Adapter For Istio repository provides an OIDC authentication mechanism integrated into the open source Kubeflow project. This vulnerability (CVE-2024-8901) was discovered and disclosed on October 21, 2024, affecting versions v1.0 and v1.1 of the adapter. The core issue lies in the JWT authentication mechanism, which lacks proper signer and issuer validation (AWS Bulletin, GitHub Advisory).

The vulnerability is classified with a CVSS v3.1 Base Score of 7.5 (HIGH) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N. It is categorized under CWE-290 (Authentication Bypass by Spoofing). The technical issue stems from the adapter's failure to properly validate JWT signer and issuer identity, particularly in configurations where ALB targets are directly exposed to internet traffic (AWS Bulletin).

In deployments where ALB targets are directly exposed to internet traffic (contrary to security best practices), an attacker can provide a JWT signed by an untrusted entity to successfully bypass authentication and spoof OIDC-federated sessions. This could lead to unauthorized access to protected resources (AWS Bulletin).

The repository has been deprecated and is no longer actively supported. As security best practices, users should ensure their ELB targets (e.g., EC2 Instances, Fargate Tasks) do not have public IP addresses. For any forked or derivative code, it's crucial to validate that the signer attribute in the JWT matches the ARN of the Application Load Balancer that the service is configured to use (AWS Bulletin).