kubeview is vulnerable to access restriction bypass. The vulnerability exists in default
function of api.js
, because api/scrape/kube-system
does not require authentication which allows an attacker to bypass the restrictions and retrieve certificate files that can be used to authenticate as kube-admin
.