CVE-2023-22480: KubeOperator is vulnerable to unauthorized access to system API

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2023-22480

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

KubeOperator is vulnerable to unauthorized access to system API

Source: NVD (National Vulnerability Database)

Vulnerability Description

KubeOperator is an open source Kubernetes distribution focused on helping enterprises plan, deploy and operate production-level K8s clusters. In KubeOperator versions 3.16.3 and below, API interfaces with unauthorized entities and can leak sensitive information. This vulnerability could be used to take over the cluster under certain conditions. This issue has been patched in version 3.16.4.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Source: NVD (National Vulnerability Database)

Vulnerability Type

授权机制不恰当

Source: NVD (National Vulnerability Database)

Vulnerability Title

KubeOperator 授权问题漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

KubeOperator是一个开源的轻量级 Kubernetes 发行版，专注于帮助企业规划、部署和运营生产级别的 K8s 集群。 KubeOperator 3.16.4之前版本存在授权问题漏洞，该漏洞源于API与未经授权的实体交互，可能会泄露敏感信息。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
KubeOperator	KubeOperator	<= 3.16.3	-

II. Public POCs for CVE-2023-22480

#	POC Description	Source Link	Shenlong Link
1	KubeOperator is an open source Kubernetes distribution focused on helping enterprises plan, deploy and operate production-level K8s clusters. In KubeOperator versions 3.16.3 and below, API interfaces with unauthorized entities and can leak sensitive information. This vulnerability could be used to take over the cluster under certain conditions. This issue has been patched in version 3.16.4.	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-22480.yaml	POC Details
2	None	https://github.com/Threekiii/Awesome-POC/blob/master/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/KubeOperator%20kubeconfig%20%E6%9C%AA%E6%8E%88%E6%9D%83%E8%AE%BF%E9%97%AE%E6%BC%8F%E6%B4%9E%20CVE-2023-22480.md	POC Details

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2023-22480

Please Login to view more intelligence information

https://github.com/KubeOperator/KubeOperator/releases/tag/v3.16.4x_refsource_MISC
https://github.com/KubeOperator/KubeOperator/security/advisories/GHSA-jxgp-jgh3-8jc8x_refsource_CONFIRM
https://github.com/KubeOperator/KubeOperator/commit/7ef42bf1c16900d13e6376f8be5ecdbfdfb44aafx_refsource_MISC
https://nvd.nist.gov/vuln/detail/CVE-2023-22480

IV. Related Vulnerabilities

Same vendor: KubeOperator

Same weakness: CWE-285

V. Comments for CVE-2023-22480

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

I. Basic Information for CVE-2023-22480

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2023-22480

III. Intelligence Information for CVE-2023-22480

IV. Related Vulnerabilities

V. Comments for CVE-2023-22480

Leave a comment