GHSA-87f6-8gr7-pc6h

Опубликовано: 21 июл. 2023

Источник: github

Github: Прошло ревью

CVSS3: 6.5

Описание

KubePi may leak password hash of any user

Summary

http://kube.pi/kubepi/api/v1/users/search?pageNum=1&&pageSize=10 leak password of any user (including admin). This leads to password crack attack

PoC

https://drive.google.com/file/d/1ksdawJ1vShRJyT3wAgpqVmz-Ls6hMA7M/preview

Impact

Leaking confidential information.
Can lead to password cracking attacks

Ссылки

Пакеты

Наименование

github.com/KubeOperator/kubepi

Затронутые версииВерсия исправления

< 1.6.5

1.6.5

EPSS

Процентиль: 40%

0.00182

Низкий

6.5 Medium

CVSS3

CVE ID

CVE-2023-37916

Дефекты

CWE-200

Связанные уязвимости

CVE-2023-37916

CVSS3: 6.5

nvd

больше 2 лет назад

KubePi is an opensource kubernetes management panel. The endpoint /kubepi/api/v1/users/search?pageNum=1&&pageSize=10 leak password hash of any user (including admin). A sufficiently motivated attacker may be able to crack leaded password hashes. This issue has been addressed in version 1.6.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.

EPSS

Процентиль: 40%

0.00182

Низкий

6.5 Medium

CVSS3

CVE ID

CVE-2023-37916

Дефекты

CWE-200