CVE-2021-20278

Name of the Vulnerable Software and Affected Versions: Kiali versions prior to 1.31.0

Description: An authentication bypass issue was found when the authentication strategy OpenID is used. The problem arises when Kiali assumes some token validation is handled by the underlying cluster with RBAC enabled, but this validation does not occur when OpenID implicit flow is used with RBAC turned off. This allows a malicious user to bypass authentication.

Recommendations: For versions prior to 1.31.0, update to version 1.31.0 or later to resolve the issue. As a temporary workaround, consider disabling the OpenID authentication strategy or enabling RBAC to prevent exploitation. Restrict access to the implicit flow when using the OpenID authentication strategy to minimize the risk of exploitation.