A vulnerability was found in kiali v1.30.0 when the authentication strategy `OpenID` is used. When RBAC is enabled, Kiali assumes that some of the token validation is handled by the underlying cluster. Hence, when OpenID `implicit flow` is used with RBAC turned off, this token validation doesn't occur and may allow a malicious user to bypass the authentication.
External References: https://kiali.io/news/security-bulletins/kiali-security-002/
Upstream fix: https://github.com/kiali/kiali/commit/19c9b64b76e5daf4fda46f783864cce5e4497a08
Acknowledgments: Name: the Kiali Security Group
Statement: OpenShift ServiceMesh (OSSM) Kiali is configured to delegate authorization to the OpenShift's RBAC user rights and the OpenID authentication strategy is not supported, therefore it is marked `not affected`.