Headline
CVE-2022-45933: Critical Security Issue that could lead to full cluster takeover · Issue #95 · benc-uk/kubeview
KubeView through 0.1.31 allows attackers to obtain control of a Kubernetes cluster because api/scrape/kube-system does not require authentication, and retrieves certificate files that can be used for authentication as kube-admin. NOTE: the vendor’s position is that KubeView was a “fun side project and a learning exercise,” and not “very secure.”
You’re welcome.
Sure I understand.
Excuse me if I offended you by asking for this to be done ASAP. it wasn’t intended.
I also didn’t mean to suggest only one way for the fix: authentication. I totally respect how you want security to be implemented since it’s your project.
It was out of panic and concern that’s all. I’m sure you can imagine the impact if this is exposed to a malicious actor.
However, authentication would reduce the amount of information disclosure to zero which I believe is the best option. of course, I’ll be glad to hear a better opinion.
I’m positive that you also won’t disagree that jeopardizing the security of an entire cluster would greatly outweigh a great solution like yours. Even if it’s totally open-source and free.
Kindly mind that responsibility.
Thank you again.
Related news
KubeView through 0.1.31 allows attackers to obtain control of a Kubernetes cluster because api/scrape/kube-system does not require authentication, and retrieves certificate files that can be used for authentication as kube-admin. NOTE: the vendor's position is that KubeView was a "fun side project and a learning exercise," and not "very secure."