N/A

An insufficient JWT validation vulnerability was found in Kiali versions 0.4.0 to 1.15.0 and was fixed in Kiali version 1.15.1, wherein a remote attacker could abuse this flaw by stealing a valid JWT cookie and using that to spoof a user session, possibly gaining privileges to view and alter the Istio configuration.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H

不充分的会话过期机制

Kiali 授权问题漏洞

Kiali是一款开源的、用于Istio微服务架构的可视化管理工具。 Kiali 0.4.0版本至1.15.0版本中存在授权问题漏洞，该漏洞源于不充分的JWT验证。远程攻击者可通过窃取有效的JWT cookie并伪造用户会话利用该漏洞获取权限，查看并修改Istio配置。

N/A

N/A