CVE-2020-1762 was discovered during the investigation of CVE-2020-1764, and I’ll do a longer write up for that vulnerability. In short, though, Kiali did not check token expirations prior to v1.15.1. When using password-based authentication, users’ sessions would be based on a JWT token that would effectively never expire. Kiali offers several authentication mechanisms, and I did not take the time to fully investigate the impact of this vulnerability on other authentication mechanisms.