CVE-2023-22463
published 2023-01-04CVE-2023-22463: KubePi is a k8s panel. The jwt authentication function of KubePi through version 1.6.2 uses hard-coded Jwtsigkeys, resulting in the same Jwtsigkeys for all…
PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
69.67%
99.3th percentile
KubePi is a k8s panel. The jwt authentication function of KubePi through version 1.6.2 uses hard-coded Jwtsigkeys, resulting in the same Jwtsigkeys for all online projects. This means that an attacker can forge any jwt token to take over the administrator account of any online project. Furthermore, they may use the administrator to take over the k8s cluster of the target enterprise. `session.go`, the use of hard-coded JwtSigKey, allows an attacker to use this value to forge jwt tokens arbitrarily. The JwtSigKey is confidential and should not be hard-coded in the code. The vulnerability has been fixed in 1.6.3. In the patch, JWT key is specified in app.yml. If the user leaves it blank, a random key will be used. There are no workarounds aside from upgrading.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fit2cloud | kubepi | < 1.6.3 | 1.6.3 |
| github.com | kubeoperator_kubepi | >= 0 < 1.6.3 | 1.6.3 |
| kubeoperator | kubepi | < 1.6.3 | 1.6.3 |
Detection & IOCsextracted from sources · hover to see the quote
othereyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiYWRtaW4iLCJuaWNrTmFtZSI6IkFkbWluaXN0cmF0b3IiLCJlbWFpbCI6InN1cHBvcnRAZml0MmNsb3VkLmNvbSIsImxhbmd1YWdlIjoiemgtQ04iLCJyZXNvdXJjZVBlcm1pc3Npb25zIjp7fSwiaXNBZG1pbmlzdHJhdG9yIjp0cnVlLCJtZmEiOnsiZW5hYmxlIjpmYWxzZSwic2VjcmV0IjoiIiwiYXBwcm92ZWQiOmZhbHNlfX0.XxQmyfq_7jyeYvrjqsOZ4BB4GoSkfLO2NvbKCEQjld8↗
- →Detect exploitation attempts by looking for POST requests to /kubepi/api/v1/users with an Authorization: Bearer header containing the known hard-coded forged JWT token. ↗
- →A successful exploitation response will contain all three fields in the JSON body: '"password":', '"isAdmin":', and '"createAt":' with HTTP 200 and Content-Type application/json. ↗
- →The forged JWT uses algorithm HS256 and encodes isAdministrator:true with email [email protected] — flag any JWT with these claims presented to KubePi endpoints. ↗
- →Use Shodan/FOFA queries 'html:"kubepi"' or 'body="kubepi"' to identify exposed KubePi instances for asset inventory and patch prioritization. ↗
- →The hard-coded JwtSigKey is defined in session.go at line 35; any KubePi instance <= 1.6.2 is vulnerable to JWT forgery using this static key. ↗
- ·The hard-coded JwtSigKey affects ALL KubePi instances through version 1.6.2 — the same static key is shared across every deployment, meaning the forged token above works universally against unpatched instances. ↗
- ·In the patched version 1.6.3, the JWT key is specified in app.yml; if left blank a random key is generated — detection rules based on the static token will not apply to patched instances. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
KubePi allows malicious actor to login with a forged JWT token via Hardcoded Jwtsigkeys in github.com/KubeOperator/kubepi
osv·2024-08-20
CVE-2023-22463 KubePi allows malicious actor to login with a forged JWT token via Hardcoded Jwtsigkeys in github.com/KubeOperator/kubepi
KubePi allows malicious actor to login with a forged JWT token via Hardcoded Jwtsigkeys in github.com/KubeOperator/kubepi
KubePi allows malicious actor to login with a forged JWT token via Hardcoded Jwtsigkeys in github.com/KubeOperator/kubepi
GHSA
KubePi allows malicious actor to login with a forged JWT token via Hardcoded Jwtsigkeys
ghsa·2023-01-06
CVE-2023-22463 [CRITICAL] CWE-798 KubePi allows malicious actor to login with a forged JWT token via Hardcoded Jwtsigkeys
KubePi allows malicious actor to login with a forged JWT token via Hardcoded Jwtsigkeys
### Summary
The jwt authentication function of kubepi <= v1.6.2 uses hard-coded Jwtsigkeys, resulting in the same Jwtsigkeys for all online projects. This means that an attacker can forge any jwt token to take over the administrator account of any online project.
### Details
[`session.go`](https://github.com/KubeOperator/KubePi/blob/da784f5532ea2495b92708cacb32703bff3a45a3/internal/api/v1/session/session.go#L35), the use of hard-coded JwtSigKey allows an attacker to use this value to forge jwt tokens arbitrarily. The JwtSigKey is confidential and should not be hard-coded in the code.
```golang
var JwtSigKey = []byte("signature_hmac_secret_shared_key")
var jwtMaxAge = 10 * time.Minute
type Handler st
OSV
KubePi allows malicious actor to login with a forged JWT token via Hardcoded Jwtsigkeys
osv·2023-01-06
CVE-2023-22463 [CRITICAL] KubePi allows malicious actor to login with a forged JWT token via Hardcoded Jwtsigkeys
KubePi allows malicious actor to login with a forged JWT token via Hardcoded Jwtsigkeys
### Summary
The jwt authentication function of kubepi <= v1.6.2 uses hard-coded Jwtsigkeys, resulting in the same Jwtsigkeys for all online projects. This means that an attacker can forge any jwt token to take over the administrator account of any online project.
### Details
[`session.go`](https://github.com/KubeOperator/KubePi/blob/da784f5532ea2495b92708cacb32703bff3a45a3/internal/api/v1/session/session.go#L35), the use of hard-coded JwtSigKey allows an attacker to use this value to forge jwt tokens arbitrarily. The JwtSigKey is confidential and should not be hard-coded in the code.
```golang
var JwtSigKey = []byte("signature_hmac_secret_shared_key")
var jwtMaxAge = 10 * time.Minute
type Handler st
VulnCheck
fit2cloud kubepi Use of Hard-coded Credentials
vulncheck·2023·CVSS 9.8
CVE-2023-22463 [CRITICAL] fit2cloud kubepi Use of Hard-coded Credentials
fit2cloud kubepi Use of Hard-coded Credentials
KubePi is a k8s panel. The jwt authentication function of KubePi through version 1.6.2 uses hard-coded Jwtsigkeys, resulting in the same Jwtsigkeys for all online projects. This means that an attacker can forge any jwt token to take over the administrator account of any online project. Furthermore, they may use the administrator to take over the k8s cluster of the target enterprise. `session.go`, the use of hard-coded JwtSigKey, allows an attacker to use this value to forge jwt tokens arbitrarily. The JwtSigKey is confidential and should not be hard-coded in the code. The vulnerability has been fixed in 1.6.3. In the patch, JWT key is specified in app.yml. If the user leaves it blank, a random key will be used. There are no workarounds aside
No detection rules found.
Nuclei
KubePi JwtSigKey - Admin Authentication Bypass
nuclei·CVSS 9.8
CVE-2023-22463 [CRITICAL] KubePi JwtSigKey - Admin Authentication Bypass
KubePi JwtSigKey - Admin Authentication Bypass
KubePi is a k8s panel. The jwt authentication function of KubePi through version 1.6.2 uses hard-coded Jwtsigkeys, resulting in the same Jwtsigkeys for all online projects. This means that an attacker can forge any jwt token to take over the administrator account of any online project. Furthermore, they may use the administrator to take over the k8s cluster of the target enterprise. `session.go`, the use of hard-coded JwtSigKey, allows an attacker to use this value to forge jwt tokens arbitrarily. The JwtSigKey is confidential and should not be hard-coded in the code.
Template:
id: CVE-2023-22463
info:
name: KubePi JwtSigKey - Admin Authentication Bypass
author: DhiyaneshDK
severity: critical
description: |
KubePi is a k8s panel. The jwt a
https://github.com/KubeOperator/KubePi/blob/da784f5532ea2495b92708cacb32703bff3a45a3/internal/api/v1/session/session.go#L35https://github.com/KubeOperator/KubePi/commit/3be58b8df5bc05d2343c30371dd5fcf6a9fbbf8bhttps://github.com/KubeOperator/KubePi/releases/tag/v1.6.3https://github.com/KubeOperator/KubePi/security/advisories/GHSA-vjhf-8vqx-vqpqhttps://github.com/KubeOperator/KubePi/blob/da784f5532ea2495b92708cacb32703bff3a45a3/internal/api/v1/session/session.go#L35https://github.com/KubeOperator/KubePi/commit/3be58b8df5bc05d2343c30371dd5fcf6a9fbbf8bhttps://github.com/KubeOperator/KubePi/releases/tag/v1.6.3https://github.com/KubeOperator/KubePi/security/advisories/GHSA-vjhf-8vqx-vqpq
2023-01-04
Published
Exploited in the wild