KubeVela is an application delivery platform Users using KubeVela's VelaUX APIServer could be affected by an authentication bypass vulnerability. In KubeVela prior to versions 1.4.11 and 1.5.4, VelaUX APIServer uses the `PlatformID` as the signed key to generate the JWT tokens for users. Another API called `getSystemInfo` exposes the platformID. This vulnerability allows users to use the platformID to re-generate the JWT tokens to bypass the authentication. Versions 1.4.11 and 1.5.4 contain a patch for this issue.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2022-09-07T23:00:15
Updated: 2024-08-03T09:52:00.489Z
Reserved: 2022-07-15T00:00:00
Link: CVE-2022-36089
Vulnrichment
No data.
NVD
Status : Modified
Published: 2022-09-07T23:15:14.240
Modified: 2024-11-21T07:12:21.707
Link: CVE-2022-36089
Redhat
No data.