漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
KubePi's JWT token validation has a defect
Vulnerability Description
KubePi is a K8s panel. Starting in version 1.6.3 and prior to version 1.8.0, there is a defect in the KubePi JWT token verification. The JWT key in the default configuration file is empty. Although a random 32-bit string will be generated to overwrite the key in the configuration file when the key is detected to be empty in the configuration file reading logic, the key is empty during actual verification. Using an empty key to generate a JWT token can bypass the login verification and directly take over the back end. Version 1.8.0 contains a patch for this issue.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Vulnerability Type
CWE-1259
Vulnerability Title
KubePi 安全漏洞
Vulnerability Description
KubePi是1Panel-dev开源的一个K8s面板。它允许管理员导入多个Kubernetes集群,并且通过权限控制,将不同cluster、namespace的权限分配给指定用户。 KubePi 1.6.3版本至1.8.0之前版本存在安全漏洞,该漏洞源于kubepi jwttoken校验存在缺陷,允许使用空密钥生成jwttoken可绕过登录校验,直接接管后台。
CVSS Information
N/A
Vulnerability Type
N/A