1937171 – (CVE-2021-20278) CVE-2021-20278 kiali: authentication bypass when using the OpenID login strategy

Bug 1937171 (CVE-2021-20278) - CVE-2021-20278 kiali: authentication bypass when using the OpenID login strategy

Summary: CVE-2021-20278 kiali: authentication bypass when using the OpenID login strategy

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2021-20278
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1937165
TreeView+	depends on / blocked

Reported:	2021-03-10 03:24 UTC by Mark Cooper
Modified:	2023-08-31 23:41 UTC (History)
CC List:	5 users (show)
Fixed In Version:	kiali 1.31.0
Doc Type:	If docs needed, set a value
Doc Text:	An authentication bypass vulnerability was found in Kiali when the authentication strategy `OpenID` is used. When RBAC is enabled, Kiali assumes that some of the token validation is handled by the underlying cluster. When OpenID `implicit flow` is used with RBAC turned off, this token validation doesn't occur, and this allows a malicious user to bypass the authentication.
Clone Of:
Environment:
Last Closed:	2021-03-10 09:05:45 UTC
Embargoed:

Attachments	(Terms of Use)

Description Mark Cooper 2021-03-10 03:24:03 UTC

A vulnerability was found in kiali v1.30.0 when the authentication strategy `OpenID` is used. When RBAC is enabled, Kiali assumes that some of the token validation is handled by the underlying cluster. Hence, when OpenID `implicit flow` is used with RBAC turned off, this token validation doesn't occur and may allow a malicious user to bypass the authentication.

Comment 1 Mark Cooper 2021-03-10 03:24:06 UTC

External References:

https://kiali.io/news/security-bulletins/kiali-security-002/

Comment 3 Mark Cooper 2021-03-10 03:39:55 UTC

Upstream fix: https://github.com/kiali/kiali/commit/19c9b64b76e5daf4fda46f783864cce5e4497a08

Comment 5 Mark Cooper 2021-03-11 00:36:29 UTC

Acknowledgments:

Name: the Kiali Security Group

Comment 6 RaTasha Tillery-Smith 2021-03-11 13:28:04 UTC

Statement:

OpenShift ServiceMesh (OSSM) Kiali is configured to delegate authorization to the OpenShift's RBAC user rights and the OpenID authentication strategy is not supported, therefore it is marked `not affected`.

Note You need to log in before you can comment on or make changes to this bug.