CVE-2023-37917

2023-07-2121:15:11

CWE-269

[email protected]

web.nvd.nist.gov

kubepi

cve

2023

37917

kubernetes

management panel

unauthorized admin privileges

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L

8.5 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

23.6%

JSON

KubePi is an opensource kubernetes management panel. A normal user has permission to create/update users, they can become admin by editing the isadmin value in the request. As a result any user may take administrative control of KubePi. This issue has been addressed in version 1.6.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected configurations

Vulners

NVD

Node

1panel-devkubepiRange<1.6.5

CPENameOperatorVersion
fit2cloud:kubepifit2cloud kubepilt1.6.5

CPE	Name	Operator	Version
fit2cloud:kubepi	fit2cloud kubepi	lt	1.6.5

CNA Affected

[
  {
    "vendor": "1Panel-dev",
    "product": "KubePi",
    "versions": [
      {
        "version": "< 1.6.5",
        "status": "affected"
      }
    ]
  }
]