x/vulndb: potential Go vuln in github.com/awslabs/aws-alb-route-directive-adapter-for-istio: CVE-2024-8901

[GoVulnBot]

Advisory CVE-2024-8901 references a vulnerability in the following Go modules:

Module
github.com/awslabs/aws-alb-route-directive-adapter-for-istio

Description:
The AWS ALB Route Directive Adapter For Istio repo https://github.com/awslabs/aws-alb-route-directive-adapter-for-istio/tree/master provides an OIDC authentication mechanism that was integrated into the open source Kubeflow project. The adapter uses JWT for authentication, but lacks proper signer and issuer validation. In uncommon deployments of ALB, wherein endpoints are exposed to internet traffic, an actor can provide a JWT signed by an untrusted entity in order to spoof OIDC-federated sessions and successfully bypass authentication.

References:

• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-8901
• WEB: https://aws.amazon.com/security/security-bulletins/AWS-2024-011/
• WEB: GHSA-789x-wph8-m68r

No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/awslabs/aws-alb-route-directive-adapter-for-istio
      vulnerable_at: 0.0.0-20200804172706-d9e79a98b755
summary: CVE-2024-8901 in github.com/awslabs/aws-alb-route-directive-adapter-for-istio
cves:
    - CVE-2024-8901
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-8901
    - web: https://aws.amazon.com/security/security-bulletins/AWS-2024-011/
    - web: https://github.com/awslabs/aws-alb-route-directive-adapter-for-istio/security/advisories/GHSA-789x-wph8-m68r
source:
    id: CVE-2024-8901
    created: 2024-10-22T01:01:19.382414106Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/622835 mentions this issue: data/reports: add 16 unreviewed reports