Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-87f6-8gr7-pc6h: KubePi may leak password hash of any user

Summary

http://kube.pi/kubepi/api/v1/users/search?pageNum=1&&pageSize=10 leak password of any user (including admin). This leads to password crack attack

PoC

https://drive.google.com/file/d/1ksdawJ1vShRJyT3wAgpqVmz-Ls6hMA7M/preview

Impact

  • Leaking confidential information.
  • Can lead to password cracking attacks
ghsa
Open in Source
#google#git

KubePi may leak password hash of any user

Moderate severity GitHub Reviewed Published Jul 21, 2023 in 1Panel-dev/KubePi • Updated Jul 21, 2023

Related news

CVE-2023-37916: Leak password hash of any user

KubePi is an opensource kubernetes management panel. The endpoint /kubepi/api/v1/users/search?pageNum=1&&pageSize=10 leak password hash of any user (including admin). A sufficiently motivated attacker may be able to crack leaded password hashes. This issue has been addressed in version 1.6.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.

ghsa: Latest News

GHSA-27wf-5967-98gx: Kubernetes kubelet arbitrary command execution
ghsa