KubePi <= v1.6.4 LoginLogsSearch - Unauthorized Access

KubePi is a modern Kubernetes panel. The API interfaces with unauthorized entities and may leak sensitive information. This issue has been patched in version 1.6.4. There are currently no known workarounds. id: CVE-2023-22478 info: name: KubePi = v1.6.4 LoginLogsSearch - Unauthorized Access autho...

KubePi JwtSigKey - Admin Authentication Bypass

KubePi is a k8s panel. The jwt authentication function of KubePi through version 1.6.2 uses hard-coded Jwtsigkeys, resulting in the same Jwtsigkeys for all online projects. This means that an attacker can forge any jwt token to take over the administrator account of any online project. Furthermor...

EUVD-2023-2000

Malicious code in bioql PyPI...

EUVD-2023-1986

Malicious code in bioql PyPI...

EUVD-2023-0553

Malicious code in bioql PyPI...

VulnCheck KEV: CVE-2023-22463

KubePi is a k8s panel. The jwt authentication function of KubePi through version 1.6.2 uses hard-coded Jwtsigkeys, resulting in the same Jwtsigkeys for all online projects. This means that an attacker can forge any jwt token to take over the administrator account of any online project. Furthermor...

CVE-2023-22478

KubePi is a modern Kubernetes panel. The API interfaces with unauthorized entities and may leak sensitive information. This issue has been patched in version 1.6.4. There are currently no known workarounds...

CVE-2023-22463

KubePi is a k8s panel. The jwt authentication function of KubePi through version 1.6.2 uses hard-coded Jwtsigkeys, resulting in the same Jwtsigkeys for all online projects. This means that an attacker can forge any jwt token to take over the administrator account of any online project. Furthermor...

CVE-2023-37917

KubePi is an opensource kubernetes management panel. A normal user has permission to create/update users, they can become admin by editing the isadmin value in the request. As a result any user may take administrative control of KubePi. This issue has been addressed in version 1.6.5. Users are...

CVE-2023-37916

KubePi is an opensource kubernetes management panel. The endpoint /kubepi/api/v1/users/search?pageNum=1&=10 leak password hash of any user including admin. A sufficiently motivated attacker may be able to crack leaded password hashes. This issue has been addressed in version 1.6.5. Users are...

CVE-2023-22479

KubePi is a modern Kubernetes panel. A session fixation attack allows an attacker to hijack a legitimate user session, versions 1.6.3 and below are susceptible. A patch will be released in version 1.6.4...

VulnCheck KEV: CVE-2024-36111

KubePi is a K8s panel. Starting in version 1.6.3 and prior to version 1.8.0, there is a defect in the KubePi JWT token verification. The JWT key in the default configuration file is empty. Although a random 32-bit string will be generated to overwrite the key in the configuration file when the...

GO-2023-1956 KubePi Privilege Escalation vulnerability in github.com/KubeOperator/kubepi

KubePi Privilege Escalation vulnerability in github.com/KubeOperator/kubepi...

GO-2023-1957 KubePi may leak password hash of any user in github.com/KubeOperator/kubepi

KubePi may leak password hash of any user in github.com/KubeOperator/kubepi...

GO-2023-1283 KubePi allows malicious actor to login with a forged JWT token via Hardcoded Jwtsigkeys in github.com/KubeOperator/kubepi

KubePi allows malicious actor to login with a forged JWT token via Hardcoded Jwtsigkeys in github.com/KubeOperator/kubepi...

GO-2023-1463 KubePi may allow unauthorized access to system API in github.com/KubeOperator/kubepi

KubePi may allow unauthorized access to system API in github.com/KubeOperator/kubepi...

GO-2023-1468 KubePi session fixation attack allows an attacker to hijack a legitimate user session. in github.com/KubeOperator/kubepi

KubePi session fixation attack allows an attacker to hijack a legitimate user session. in github.com/KubeOperator/kubepi...

CVE-2024-36111

KubePi is a K8s panel. Starting in version 1.6.3 and prior to version 1.8.0, there is a defect in the KubePi JWT token verification. The JWT key in the default configuration file is empty. Although a random 32-bit string will be generated to overwrite the key in the configuration file when the ke...

CVE-2024-36111 KubePi's JWT token validation has a defect

KubePi is a K8s panel. Starting in version 1.6.3 and prior to version 1.8.0, there is a defect in the KubePi JWT token verification. The JWT key in the default configuration file is empty. Although a random 32-bit string will be generated to overwrite the key in the configuration file when the ke...

CVE-2024-36111

The CVE-2024-36111 issue affects KubePi (K8s panel). Root cause: an empty JWT key in the default configuration leads to token verification failures, allowing a forged JWT to bypass login and take over the backend. Affected versions: 1.6.3 through 1.7.x (prior to 1.8.0). Version 1.8.0 contains a p...