NOTE: Kiali takes security seriously and encourages users to report security concerns.
If you run a security scan on Kiali software and would like to report a security scan report to the Kiali team, we only ask that you first verify that your scan is correctly validating the latest release and that the results are valid. Security report investigation often takes priority over scheduled work and can be time consuming for the Kiali maintainers to research and validate. So, please verify that your submitted report accurately reflects the Kiali software being scanned, and that the reported security issue(s) actually affect Kiali or one of its dependencies.
Kiali releases every three weeks and so generally resolves CVEs in new releases only. Golang vulnerabilities are typically resolved in a timely way, as the Go version for release builds increments fairly often. Occasionally, critical CVEs may be resolved in patch releases for supported versions. Additionally, not every CVE reported against a Kiali dependency is actually a vulnerability. For reported CVEs that are proven not to affect Kiali, see the table below:
|CVE-2022-27191||golang.org/x/crypto/ssh allows an attacker to crash a server in certain circumstances involving AddHostKey||Kiali does not use the AddHostKey API; furthermore, neither Kiali nor its dependencies import this component. Thus Kiali is not susceptible to this vulnerability.|
|CVE-2022-1996||github.com/emicklei/go-restful||Despite the package dependency Kiali is not susceptible to this vulnerability|
|CVE-2019-1010022||GNU Libc current is affected by: Mitigation bypass.||This is a disputed CVE. According to upstream, it is not a security issue. For details, please see https://sourceware.org/bugzilla/show_bug.cgi?id=22850 and https://security-tracker.debian.org/tracker/CVE-2019-1010022|
For Kiali-specific vulnerabilities there will be releases made as needed. At release time a security bulletin will be release as well. For prior bulletins see below: