VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-ncgy-zymr-aaap

Essentials
Severities (97)
References (16)
Severity details (18)
Exploits (0)
EPSS
History (0)

Vulnerability ID	VCID-ncgy-zymr-aaap
Aliases	CVE-2020-1764 GHSA-64rh-r86q-75ff
Summary	CVE-2020-1764 kiali: JWT cookie uses default signing key
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (2)

CWE-798	Use of Hard-coded Credentials
CWE-321	Use of Hard-coded Cryptographic Key

System	Score	Found at
rhas	Moderate	https://access.redhat.com/errata/RHSA-2020:0975
cvssv3	8.6	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-1764.json
epss	0.00209	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.00209	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.00209	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.00209	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.00209	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.00209	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.00209	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.00209	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.00209	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.00209	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.00209	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.00209	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.00224	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.00224	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.00224	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.00224	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.05246	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
epss	0.46638	https://api.first.org/data/v1/epss?cve=CVE-2020-1764
rhbs	high	https://bugzilla.redhat.com/show_bug.cgi?id=1810383
cvssv3.1	8.6	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1764
generic_textual	HIGH	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1764
cvssv3.1	8.6	https://github.com/jpts/cve-2020-1764-poc
generic_textual	HIGH	https://github.com/jpts/cve-2020-1764-poc
cvssv3.1	8.6	https://github.com/kiali/kiali/commit/93f5cd0b6698e8fe8772afb8f35816f6c086aef1
generic_textual	HIGH	https://github.com/kiali/kiali/commit/93f5cd0b6698e8fe8772afb8f35816f6c086aef1
cvssv3.1	8.6	https://github.com/kiali/kiali/commit/ac7bd6c7ddb2e01356e21d360dd1c718a90706ad
generic_textual	HIGH	https://github.com/kiali/kiali/commit/ac7bd6c7ddb2e01356e21d360dd1c718a90706ad
cvssv3.1	8.6	https://github.com/kiali/kiali/commit/ce48af57113c805a25179aaab1a0fac2fb93653f
generic_textual	HIGH	https://github.com/kiali/kiali/commit/ce48af57113c805a25179aaab1a0fac2fb93653f
cvssv3.1	8.6	https://github.com/kiali/kiali/commit/faed1f5f90efae3df9fd6fb793f00ccc242b3a96
generic_textual	HIGH	https://github.com/kiali/kiali/commit/faed1f5f90efae3df9fd6fb793f00ccc242b3a96
cvssv3.1	8.6	https://kiali.io/news/security-bulletins/kiali-security-001
generic_textual	HIGH	https://kiali.io/news/security-bulletins/kiali-security-001
cvssv2	7.5	https://nvd.nist.gov/vuln/detail/CVE-2020-1764
cvssv3	8.6	https://nvd.nist.gov/vuln/detail/CVE-2020-1764
cvssv3.1	8.6	https://nvd.nist.gov/vuln/detail/CVE-2020-1764

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-1764.json
		https://api.first.org/data/v1/epss?cve=CVE-2020-1764
		https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1764
		https://github.com/jpts/cve-2020-1764-poc
		https://github.com/kiali/kiali/commit/93f5cd0b6698e8fe8772afb8f35816f6c086aef1
		https://github.com/kiali/kiali/commit/ac7bd6c7ddb2e01356e21d360dd1c718a90706ad
		https://github.com/kiali/kiali/commit/ce48af57113c805a25179aaab1a0fac2fb93653f
		https://github.com/kiali/kiali/commit/faed1f5f90efae3df9fd6fb793f00ccc242b3a96
		https://kiali.io/news/security-bulletins/kiali-security-001
		https://kiali.io/news/security-bulletins/kiali-security-001/
1810383		https://bugzilla.redhat.com/show_bug.cgi?id=1810383
cpe:2.3:a:kiali:kiali::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:kiali:kiali::::::::
cpe:2.3:a:redhat:openshift_service_mesh:1.0:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:openshift_service_mesh:1.0:::::::*
CVE-2020-1764		https://nvd.nist.gov/vuln/detail/CVE-2020-1764
ISTIO-SECURITY-2020-004		https://istio.io/latest/news/security/ISTIO-SECURITY-2020-004/
RHSA-2020:0975		https://access.redhat.com/errata/RHSA-2020:0975

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-1764.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H Found at https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1764

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H Found at https://github.com/jpts/cve-2020-1764-poc

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H Found at https://github.com/kiali/kiali/commit/93f5cd0b6698e8fe8772afb8f35816f6c086aef1

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H Found at https://github.com/kiali/kiali/commit/ac7bd6c7ddb2e01356e21d360dd1c718a90706ad

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H Found at https://github.com/kiali/kiali/commit/ce48af57113c805a25179aaab1a0fac2fb93653f

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H Found at https://github.com/kiali/kiali/commit/faed1f5f90efae3df9fd6fb793f00ccc242b3a96

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H Found at https://kiali.io/news/security-bulletins/kiali-security-001

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2020-1764

Exploitability (E)	Access Vector (AV)	Access Complexity (AC)	Authentication (Au)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
high functional unproven proof_of_concept not_defined	local adjacent_network network	high medium low	multiple single none	none partial complete	none partial complete	none partial complete

Exploitability (E)

Access Vector (AV)

Access Complexity (AC)

Authentication (Au)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

partial

complete

none

partial

complete

none

partial

complete

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2020-1764

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2020-1764

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.59248
EPSS Score	0.00209
Published At	Nov. 1, 2024, midnight

Date	Actor	Action	Source	VulnerableCode Version
There are no relevant records.