Kiali: error message spoofing in kiali ui
Description
A content spoofing vulnerability was found in Kiali. It was discovered that Kiali does not implement error handling when the page or endpoint being accessed cannot be found. This issue allows an attacker to perform arbitrary text injection when an error response is retrieved from the URL being accessed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Kiali does not handle missing endpoints, allowing an attacker to inject arbitrary text into error responses (content spoofing).
Kiali (https://github.com/kiali/kiali [1]) is a management console for the Istio service mesh, providing observability and configuration capabilities. A content spoofing vulnerability (CVE-2022-3962) exists because Kiali fails to implement proper error handling when a requested page or endpoint cannot be found [3]. This flaw allows an attacker to perform arbitrary text injection into the error response returned from the URL being accessed [3].
The attack surface is the Kiali UI, where an attacker can craft a request to a non-existent endpoint. The vulnerability does not require authentication, as the error handling occurs before any user validation, and can be exploited over the network. By manipulating the URL, an attacker can cause Kiali to return a response containing attacker-controlled text, effectively spoofing the content of a legitimate page [2][3].
The impact is content spoofing, which can be used for phishing or to mislead users into believing they are viewing trusted Kiali content. While the attacker cannot directly modify server-side data or execute code, the injected text can be used to impersonate legitimate pages, potentially tricking users into disclosing credentials or performing unintended actions.
Red Hat rated this vulnerability as Important and addressed it in RHSA-2023:0542, part of the Red Hat OpenShift Service Mesh 2.3.1 update [4]. Users should update to the patched version of Kiali to mitigate the risk. No public proof-of-concept has been reported, but the vulnerability is listed in the Red Hat CVE database with a CVSS base score of 7.1 (Medium severity) [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/kiali/kialiGo | < 1.57.4 | 1.57.4 |
Affected products
9- Red Hat/OpenShift Service Mesh 2.1v5cpe:/a:redhat:service_mesh:2.1
- Red Hat/Red Hat OpenShift Service Mesh 2.3 for RHEL 8v5cpe:/a:redhat:service_mesh:2.3::el8Range: 1.57.5-3
- osv-coords7 versionspkg:apk/chainguard/kialipkg:apk/chainguard/kiali-apipkg:apk/chainguard/kiali-uipkg:apk/wolfi/kialipkg:apk/wolfi/kiali-apipkg:apk/wolfi/kiali-uipkg:golang/github.com/kiali/kiali
< 0+ 6 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.57.4
Patches
1aab7694f850fshow generic login error in UI, only log the specific error messages (#5638) (#5640)
1 file changed · +9 −8
frontend/src/pages/Login/LoginPage.tsx+9 −8 modified@@ -135,30 +135,31 @@ export class LoginPage extends React.Component<LoginProps, LoginState> { const urlParams = new URLSearchParams(pageParams); // When using OpenId auth, the IdP can redirect back with `error` and `error_description` - // as url parameters. If these params are set, show them as errors. + // as url parameters. If these params are set, we cannot assume they are not spoofed, so we only + // log the errors but do not show them in the UI. We only show a generic error message. // Reference: https://openid.net/specs/openid-connect-core-1_0-final.html#AuthError if (urlParams.get('error')) { if (urlParams.get('error_description')) { + console.warn(`Authentication error_description: ${urlParams.get('error_description')}`) messages.push( - this.renderMessage(`Authentication error: ${urlParams.get('error_description')}`, 'danger', 'idp-err') + this.renderMessage(`Authentication failed!`, 'danger', 'idp-err') ); } else { + console.warn(`Authentication error: ${urlParams.get('error')}`) messages.push( - this.renderMessage( - `The OpenID provider returned the following error code: ${urlParams.get('error')}`, - 'danger', - 'idp-err' - ) + this.renderMessage(`Authentication failed.`, 'danger', 'idp-err') ); } } // Also, when using OpenId auth, the IdP can return with success. However, in the "authorization code" flow, // the Kiali backend still needs to do some extra negotiation with the IdP, which can fail. // The backend will set an "openid_error" url parameter when there is some failure. + // Only log the openid_error since we cannot guarantee it is not spoofed. We only show a generic error message in the UI. if (urlParams.get('openid_error')) { + console.warn(`Authentication openid_error: ${urlParams.get('openid_error')}`) messages.push( - this.renderMessage(`Authentication failed: ${urlParams.get('openid_error')}`, 'danger', 'openid-err') + this.renderMessage(`OpenID authentication failed.`, 'danger', 'openid-err') ); }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- access.redhat.com/errata/RHSA-2023:0542ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-6f4m-j56w-55c3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-3962ghsaADVISORY
- access.redhat.com/security/cve/CVE-2022-3962ghsavdb-entryx_refsource_REDHATWEB
- bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
- github.com/kiali/kiali/commit/aab7694f850f04d7fd875fac5f720a93ccdf01adghsaWEB
- issues.redhat.com/browse/OSSM-2251ghsaWEB
News mentions
0No linked articles in our index yet.