CVE-2023-22463 — CRITICAL (9.8)

Q: How severe is CVE-2023-22463?

CVE-2023-22463 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2023-22463?

Check the references section above for vendor advisories and patch information. Affected products include: Fit2Cloud Kubepi.

Vulnerability Description

KubePi is a k8s panel. The jwt authentication function of KubePi through version 1.6.2 uses hard-coded Jwtsigkeys, resulting in the same Jwtsigkeys for all online projects. This means that an attacker can forge any jwt token to take over the administrator account of any online project. Furthermore, they may use the administrator to take over the k8s cluster of the target enterprise. `session.go`, the use of hard-coded JwtSigKey, allows an attacker to use this value to forge jwt tokens arbitrarily. The JwtSigKey is confidential and should not be hard-coded in the code. The vulnerability has been fixed in 1.6.3. In the patch, JWT key is specified in app.yml. If the user leaves it blank, a random key will be used. There are no workarounds aside from upgrading.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Fit2Cloud	Kubepi	< 1.6.3

Related Weaknesses (CWE)

CWE-798

References

https://github.com/KubeOperator/KubePi/blob/da784f5532ea2495b92708cacb32703bff3aThird Party Advisory
https://github.com/KubeOperator/KubePi/commit/3be58b8df5bc05d2343c30371dd5fcf6a9PatchThird Party Advisory
https://github.com/KubeOperator/KubePi/releases/tag/v1.6.3Release NotesThird Party Advisory
https://github.com/KubeOperator/KubePi/security/advisories/GHSA-vjhf-8vqx-vqpqExploitPatchThird Party Advisory
https://github.com/KubeOperator/KubePi/blob/da784f5532ea2495b92708cacb32703bff3aThird Party Advisory
https://github.com/KubeOperator/KubePi/commit/3be58b8df5bc05d2343c30371dd5fcf6a9PatchThird Party Advisory
https://github.com/KubeOperator/KubePi/releases/tag/v1.6.3Release NotesThird Party Advisory
https://github.com/KubeOperator/KubePi/security/advisories/GHSA-vjhf-8vqx-vqpqExploitPatchThird Party Advisory

FAQ

What is CVE-2023-22463?

CVE-2023-22463 is a vulnerability with a CVSS score of 9.8 (CRITICAL). KubePi is a k8s panel. The jwt authentication function of KubePi through version 1.6.2 uses hard-coded Jwtsigkeys, resulting in the same Jwtsigkeys for all online projects. This means that an attacker...

How severe is CVE-2023-22463?

CVE-2023-22463 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2023-22463?

Check the references section above for vendor advisories and patch information. Affected products include: Fit2Cloud Kubepi.