Malicious client is able to construct credentials with permanent validity in some specific scenario. This is caused by some rare scenarios, like the combination of host and expire time, in which HMAC payload can be always valid in OAuth2 filter's HMAC check.
This issue has been addressed in the following products: Red Hat OpenShift Service Mesh 2.3 for RHEL 8 Via RHSA-2023:4624 https://access.redhat.com/errata/RHSA-2023:4624
This issue has been addressed in the following products: Red Hat OpenShift Service Mesh 2.4 for RHEL 8 Via RHSA-2023:4625 https://access.redhat.com/errata/RHSA-2023:4625
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-35941
This issue has been addressed in the following products: Red Hat OpenShift Service Mesh 2.2 for RHEL 8 Via RHSA-2023:5175 https://access.redhat.com/errata/RHSA-2023:5175