Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-757p-vx43-fp9r: KubePi Privilege Escalation vulnerability

Summary

A normal user has permission to create/update users, they can become admin by editing the isadmin value in the request

PoC

Change the value of the isadmin field in the request to true: https://drive.google.com/file/d/1e8XJbIFIDXaFiL-dqn0a0b6u7o3CwqSG/preview

Impact

Elevate user privileges

ghsa
Open in Source
#vulnerability#google#git

KubePi Privilege Escalation vulnerability

Critical severity GitHub Reviewed Published Jul 21, 2023 in 1Panel-dev/KubePi • Updated Jul 21, 2023

Related news

CVE-2023-37917: Privilege Escalation in kubeoperator/kubepi

KubePi is an opensource kubernetes management panel. A normal user has permission to create/update users, they can become admin by editing the `isadmin` value in the request. As a result any user may take administrative control of KubePi. This issue has been addressed in version 1.6.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.

ghsa: Latest News

GHSA-27wf-5967-98gx: Kubernetes kubelet arbitrary command execution
ghsa