Headline
GHSA-gqx8-hxmv-c4v4: KubePi may allow unauthorized access to system API
Summary
API interfaces with unauthorized access will leak sensitive information /kubepi/api/v1/systems/operation/logs/search /kubepi/api/v1/systems/login/logs/search
This vulnerability also exists in https://github.com/KubeOperator/KubeOperator
Details
The vulnerability is located in KubePi/internal/api/v1/v1.go <img width="855" alt="image" src="https://user-images.githubusercontent.com/35884266/211234101-8c325e46-bf65-44ee-9fcb-7a1dc3a39c03.png">
sp.Post("/login/logs/search", handler.LoginLogsSearch()) directly uses the v1 route without middleware authentication
<img width="961" alt="image" src="https://user-images.githubusercontent.com/35884266/211234091-fe8cf249-8806-4124-92d0-4fd58753fa48.png">
Follow up found no role based authentication
<img width="919" alt="image" src="https://user-images.githubusercontent.com/35884266/211234162-0a6cbaa1-1f83-4361-aa26-a72cd117d64d.png">
sp.Post("/operation/logs/search", handler.OperationLogsSearch()) the same as above
<img width="885" alt="image" src="https://user-images.githubusercontent.com/35884266/211234385-9d413330-a43b-402a-b389-56a50a109769.png">
Impact
KubePI <=1.6.3
Summary
API interfaces with unauthorized access will leak sensitive information
/kubepi/api/v1/systems/operation/logs/search
/kubepi/api/v1/systems/login/logs/search
This vulnerability also exists in https://github.com/KubeOperator/KubeOperator
Details
The vulnerability is located in
KubePi/internal/api/v1/v1.go
sp.Post("/login/logs/search", handler.LoginLogsSearch()) directly uses the v1 route without middleware authentication
Follow up found no role based authentication
sp.Post("/operation/logs/search", handler.OperationLogsSearch()) the same as above
Impact
KubePI <=1.6.3
References
- GHSA-gqx8-hxmv-c4v4
Related news
KubePi is a modern Kubernetes panel. The API interfaces with unauthorized entities and may leak sensitive information. This issue has been patched in version 1.6.4. There are currently no known workarounds.