Privilege Escalation in kubepi
CVE-2023-37917

9.1CRITICAL

Key Information:

Vendor: 1panel-dev
Status: Kubepi
Vendor: CVE Published:; 21 July 2023

What is CVE-2023-37917?

A vulnerability in KubePi, an open-source Kubernetes management panel, allows normal users to edit the admin status by manipulating the 'isadmin' parameter in user requests. This design flaw permits any user to assume administrative control of the panel, posing significant security risks. The issue has been fixed in version 1.6.5, and users are strongly encouraged to update their installations to mitigate potential exploitation. Currently, there are no known workarounds for this vulnerability.

Affected Version(s)

KubePi < 1.6.5

References

https://github.com/1Panel-dev/KubePi/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 21, 2023
Vulnerability Reserved
Jul 10, 2023

1panel-dev

What is CVE-2023-37917?

Affected Version(s)

References

CVSS V3.1

Timeline