Lucene search

GoogleOSV:GHSA-87F6-8GR7-PC6H

HistoryJul 21, 2023 - 8:18 p.m.

KubePi may leak password hash of any user

2023-07-2120:18:09

Google

osv.dev

kubepi

password hash

user information

password crack attack

confidential information

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.2 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

40.7%

JSON

Summary

http://kube.pi/kubepi/api/v1/users/search?pageNum=1&&pageSize=10 leak password of any user (including admin). This leads to password crack attack

PoC

https://drive.google.com/file/d/1ksdawJ1vShRJyT3wAgpqVmz-Ls6hMA7M/preview

Impact

Leaking confidential information.
Can lead to password cracking attacks

CPENameOperatorVersion
github.com/kubeoperator/kubepilt1.6.5

CPE	Name	Operator	Version
	github.com/kubeoperator/kubepi	lt	1.6.5

References

drive.google.com/file/d/1ksdawJ1vShRJyT3wAgpqVmz-Ls6hMA7M/preview

github.com/1Panel-dev/KubePi

github.com/1Panel-dev/KubePi/releases/tag/v1.6.5

github.com/1Panel-dev/KubePi/security/advisories/GHSA-87f6-8gr7-pc6h

nvd.nist.gov/vuln/detail/CVE-2023-37916

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.2 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

40.7%

JSON

Related for OSV:GHSA-87F6-8GR7-PC6H