Описание
KubePi Privilege Escalation vulnerability
Summary
A normal user has permission to create/update users, they can become admin by editing the isadmin value in the request
PoC
Change the value of the isadmin field in the request to true:
https://drive.google.com/file/d/1e8XJbIFIDXaFiL-dqn0a0b6u7o3CwqSG/preview
Impact
Elevate user privileges
Пакеты
Наименование
github.com/KubeOperator/kubepi
go
Затронутые версииВерсия исправления
< 1.6.5
1.6.5
Связанные уязвимости
CVSS3: 9.1
nvd
больше 2 лет назад
KubePi is an opensource kubernetes management panel. A normal user has permission to create/update users, they can become admin by editing the `isadmin` value in the request. As a result any user may take administrative control of KubePi. This issue has been addressed in version 1.6.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.