CVE-2024-8901 - missing JWT issuer and signer validation in aws-alb-route-directive-adapter-for-istio

A security vulnerability was discovered in the AWS ALB Route Directive Adapter For Istio repository, which is integrated into the Kubeflow project. The adapter uses JWT for authentication but lacks proper signer and issuer validation. This vulnerability can be exploited in uncommon ALB deployments where endpoints are exposed to internet traffic, allowing an actor to bypass authentication by providing a JWT signed by an untrusted entity. The affected versions are v1.0 and v1.1. The repository has been deprecated and is no longer actively supported. As a security best practice, users are advised to ensure that their ELB targets do not have public IP addresses. Additionally, users should validate that the signer attribute in the JWT matches the ARN of the Application Load Balancer. The ALB documentation provides guidance on verifying the signature and validating the signer field in the JWT header. The vulnerability has been assigned CVE-2024-8901 and a GitHub Security Advisory has been published. Users with security questions or concerns are advised to email aws-security@amazon.com.