Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
KubePi's JWT token validation has a defect
Vulnerability Description
KubePi is a K8s panel. Starting in version 1.6.3 and prior to version 1.8.0, there is a defect in the KubePi JWT token verification. The JWT key in the default configuration file is empty. Although a random 32-bit string will be generated to overwrite the key in the configuration file when the key is detected to be empty in the configuration file reading logic, the key is empty during actual verification. Using an empty key to generate a JWT token can bypass the login verification and directly take over the back end. Version 1.8.0 contains a patch for this issue.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Vulnerability Type
CWE-1259
Vulnerability Title
KubePi 安全漏洞
Vulnerability Description
KubePi是1Panel-dev开源的一个K8s面板。它允许管理员导入多个Kubernetes集群,并且通过权限控制,将不同cluster、namespace的权限分配给指定用户。 KubePi 1.6.3版本至1.8.0之前版本存在安全漏洞,该漏洞源于kubepi jwttoken校验存在缺陷,允许使用空密钥生成jwttoken可绕过登录校验,直接接管后台。
CVSS Information
N/A
Vulnerability Type
N/A