The OAuth filter implementation does not include a mechanism for validating access tokens, so by design when the HMAC signed cookie is missing a full authentication flow should be triggered. However, the current implementation assumes that access tokens are always
validated thus allowing access in the presence of any access token attached to the request.
This issue has been addressed in the following products:
OpenShift Service Mesh 2.1
Via RHSA-2022:5004 https://access.redhat.com/errata/RHSA-2022:5004
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):