Security Bulletins

Kiali releases every three weeks and so generally resolves CVEs in new releases only. Golang vulnerabilities are typically resolved in a timely way, as the Go version for release builds increments fairly often. Occasionally, critical CVEs may be resolved in patch releases for supported versions. Additionally, not every CVE reported against a Kiali dependency is actually a vulnerability. For reported CVEs that are proven not to affect Kiali, see the table below:

CVE Description Notes
CVE-2022-1996 github.com/emicklei/go-restful Despite the package dependency Kiali is not susceptible to this vulnerability


For Kiali-specific vulnerabilities there will be releases made as needed. At release time a security bulletin will be release as well. For prior bulletins see below:

KIALI-SECURITY-003 - Installation into ad-hoc namespaces

KIALI-SECURITY-002 - Authentication bypass when using the OpenID login strategy

KIALI-SECURITY-001 - Authentication bypass using forged credentials

Last modified June 1, 2023 : Add Ignore CVEs table to Security page (#658) (40b4788)