Description: When verifying the iss field, telemeter uses `strings.Split(tokenData, ".")` to extract the payload, which means that the user should submit a Compact type JWS Token. However, go-jose's `jwt.ParseSigned(tokenData)` also supports authenticating JWS Token of JSON type. That means if the attacker submits a Token like: ``` { "fakeiss":".eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIn0.", "protected":"", "header":"", "payload":"", "signature":"" } ``` The attacker can forge a token issued by Google to pass the verification(for example). If two server use the same pair of key, the attacker can use the token from the first server to deceive the second server, and cause the privilege escape. The original reporter has raised this issue to Kubernetes, and they have fixed this problem: https://github.com/kubernetes/kubernetes/pull/123540 --- https://github.com/openshift/telemeter Version: 4.17 Related Code: https://github.com/openshift/telemeter/blob/a9417a6062c3a31ed78c06ea3a0613a52f2029b2/pkg/authorize/jwt/client_authorizer.go#L78