Headline
CVE-2022-36089: Fix: fix signedKey using platform id by FogDong · Pull Request #4634 · kubevela/kubevela
KubeVela is an application delivery platform Users using KubeVela’s VelaUX APIServer could be affected by an authentication bypass vulnerability. In KubeVela prior to versions 1.4.11 and 1.5.4, VelaUX APIServer uses the PlatformID
as the signed key to generate the JWT tokens for users. Another API called getSystemInfo
exposes the platformID. This vulnerability allows users to use the platformID to re-generate the JWT tokens to bypass the authentication. Versions 1.4.11 and 1.5.4 contain a patch for this issue.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
Signed-off-by: FogDong [email protected]
Description of your changes
Fixes #
I have:
- Read and followed KubeVela’s contribution process.
- Related Docs updated properly. In a new feature or configuration option, an update to the documentation is necessary.
- Run make reviewable to ensure this PR is ready for review.
- Added backport release-x.y labels to auto-backport this PR if necessary.
How has this code been tested****Special notes for your reviewer
@barnettZQG
@@ -63,6 +63,7 @@ func (u systemInfoServiceImpl) Get(ctx context.Context) (*model.SystemInfo, erro
}
return info, nil
}
info.SignedKey = rand.String(32)
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
will the random string be persistented ?
it still has potential risks if we store them as configmap(database).
Signed-off-by: FogDong [email protected]
Backport failed for release-1.4, because it was unable to cherry-pick the commit(s).
Please cherry-pick the changes locally.
git fetch origin release-1.4 git worktree add -d .worktree/backport-4634-to-release-1.4 origin/release-1.4 cd .worktree/backport-4634-to-release-1.4 git checkout -b backport-4634-to-release-1.4 ancref=$(git merge-base 5a241078b7708893eb1381eee13494ef7929de3b 7c6db17a7fce94881f6d1a61ea6c0430a912f436) git cherry-pick -x $ancref…7c6db17a7fce94881f6d1a61ea6c0430a912f436
Backport failed for release-1.5, because it was unable to create a new branch.
Please cherry-pick the changes locally.
git fetch origin release-1.5 git worktree add -d .worktree/backport-4634-to-release-1.5 origin/release-1.5 cd .worktree/backport-4634-to-release-1.5 git checkout -b backport-4634-to-release-1.5 ancref=$(git merge-base 5a241078b7708893eb1381eee13494ef7929de3b 7c6db17a7fce94881f6d1a61ea6c0430a912f436) git cherry-pick -x $ancref…7c6db17a7fce94881f6d1a61ea6c0430a912f436