Lucene search

Https://gitlab.com/gitlab-org/security-products/gemnasium-dbGITLAB-57E7EE8C5C54B03FB9A39F1ED4EEE38E

HistoryJul 21, 2023 - 12:00 a.m.

Improper Access Control

2023-07-2100:00:00

https://gitlab.com/gitlab-org/security-products/gemnasium-db

gitlab.com

kubepi

access control

vulnerability

admin access

software

upgrade

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L

6.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

23.5%

JSON

KubePi is an opensource kubernetes management panel. A normal user has permission to create/update users, they can become admin by editing the isadmin value in the request. As a result any user may take administrative control of KubePi. This issue has been addressed in version 1.6.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected configurations

Vulners

Node

gokubepiRange<v1.6.5

CPENameOperatorVersion
go/github.com/kubeoperator/kubepiltv1.6.5

CPE	Name	Operator	Version
	go/github.com/kubeoperator/kubepi	lt	v1.6.5

References

github.com/1Panel-dev/KubePi/security/advisories/GHSA-757p-vx43-fp9r

nvd.nist.gov/vuln/detail/CVE-2023-37917