cbcvebase.
CVE-2023-22463
published 2023-01-04

CVE-2023-22463: KubePi is a k8s panel. The jwt authentication function of KubePi through version 1.6.2 uses hard-coded Jwtsigkeys, resulting in the same Jwtsigkeys for all…

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
69.67%
99.3th percentile
KubePi is a k8s panel. The jwt authentication function of KubePi through version 1.6.2 uses hard-coded Jwtsigkeys, resulting in the same Jwtsigkeys for all online projects. This means that an attacker can forge any jwt token to take over the administrator account of any online project. Furthermore, they may use the administrator to take over the k8s cluster of the target enterprise. `session.go`, the use of hard-coded JwtSigKey, allows an attacker to use this value to forge jwt tokens arbitrarily. The JwtSigKey is confidential and should not be hard-coded in the code. The vulnerability has been fixed in 1.6.3. In the patch, JWT key is specified in app.yml. If the user leaves it blank, a random key will be used. There are no workarounds aside from upgrading.

Affected

3 ranges
VendorProductVersion rangeFixed in
fit2cloudkubepi< 1.6.31.6.3
github.comkubeoperator_kubepi>= 0 < 1.6.31.6.3
kubeoperatorkubepi< 1.6.31.6.3

Detection & IOCsextracted from sources · hover to see the quote

othereyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiYWRtaW4iLCJuaWNrTmFtZSI6IkFkbWluaXN0cmF0b3IiLCJlbWFpbCI6InN1cHBvcnRAZml0MmNsb3VkLmNvbSIsImxhbmd1YWdlIjoiemgtQ04iLCJyZXNvdXJjZVBlcm1pc3Npb25zIjp7fSwiaXNBZG1pbmlzdHJhdG9yIjp0cnVlLCJtZmEiOnsiZW5hYmxlIjpmYWxzZSwic2VjcmV0IjoiIiwiYXBwcm92ZWQiOmZhbHNlfX0.XxQmyfq_7jyeYvrjqsOZ4BB4GoSkfLO2NvbKCEQjld8
url/kubepi/api/v1/users
path/kubepi/api/v1/users
  • Detect exploitation attempts by looking for POST requests to /kubepi/api/v1/users with an Authorization: Bearer header containing the known hard-coded forged JWT token.
  • A successful exploitation response will contain all three fields in the JSON body: '"password":', '"isAdmin":', and '"createAt":' with HTTP 200 and Content-Type application/json.
  • The forged JWT uses algorithm HS256 and encodes isAdministrator:true with email [email protected] — flag any JWT with these claims presented to KubePi endpoints.
  • Use Shodan/FOFA queries 'html:"kubepi"' or 'body="kubepi"' to identify exposed KubePi instances for asset inventory and patch prioritization.
  • The hard-coded JwtSigKey is defined in session.go at line 35; any KubePi instance <= 1.6.2 is vulnerable to JWT forgery using this static key.
  • ·The hard-coded JwtSigKey affects ALL KubePi instances through version 1.6.2 — the same static key is shared across every deployment, meaning the forged token above works universally against unpatched instances.
  • ·In the patched version 1.6.3, the JWT key is specified in app.yml; if left blank a random key is generated — detection rules based on the static token will not apply to patched instances.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.