Miggo Logo
Miggo Vulnerability Database
CVE-2021-20278

CVE-2021-20278:
Kiali Authentication Bypass vulnerability

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-20278
GHSA ID
GHSA-ggjr-2f7v-vhq4
EPSS Score
0.3788%
CWE
CWE-287
Published
6/1/2021
Updated
1/30/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/kiali/kialigo< 1.31.01.31.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing token validation in OpenID implicit flow when RBAC is disabled. The patch modifies performOpenIdAuthentication to add validation logic specifically when conf.Auth.OpenId.DisableRBAC is true. The function's original code path (before patch) would skip both Kubernetes-based RBAC checks AND the new in-house validation when RBAC was disabled, making it the direct point of vulnerability. The function signature is derived from the file path hierarchy and Go package structure conventions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n *ut**nti**tion *yp*ss vuln*r**ility w*s *oun* in Ki*li in v*rsions ***or* *.**.* w**n t** *ut**nti**tion str*t**y `Op*nI*` is us**. W**n R*** is *n**l**, Ki*li *ssum*s t**t som* o* t** tok*n v*li**tion is **n*l** *y t** un**rlyin* *lust*r. W**n Op

Reasoning

T** vuln*r**ility st*ms *rom missin* tok*n v*li**tion in Op*nI* impli*it *low w**n R*** is *is**l**. T** p*t** mo*i*i*s `p*r*ormOp*nI**ut**nti**tion` to *** v*li**tion lo*i* sp**i*i**lly w**n `*on*.*ut*.Op*nI*.*is**l*R***` is tru*. T** *un*tion's ori