CVE-2022-45933

CRITICAL EXPLOITED NUCLEI

kubeview < 0.1.31 - Unauthenticated Kubernetes Cluster Control via api/scrape/kube-system

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2022-45933 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.

Description

KubeView through 0.1.31 allows attackers to obtain control of a Kubernetes cluster because api/scrape/kube-system does not require authentication, and retrieves certificate files that can be used for authentication as kube-admin. NOTE: the vendor's position is that KubeView was a "fun side project and a learning exercise," and not "very secure."

Nuclei Templates (1)

KubeView <=0.1.31 - Information Disclosure
CRITICALVERIFIEDby For3stCo1d
Shodan: http.title:"KubeView" || http.title:"kubeview" || http.favicon.hash:-379154636
FOFA: icon_hash=-379154636 || title="kubeview"

References (1)

Core 1
Core References
Exploit, Issue Tracking, Third Party Advisory
https://github.com/benc-uk/kubeview/issues/95

Scores

CVSS v3 9.8
EPSS 0.5170
EPSS Percentile 98.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2023-11-25
CWE
CWE-306
Status published
Products (2)
benc-uk/kubeview 0Go
kubeview_project/kubeview < 0.1.31
Published Nov 27, 2022
Tracked Since Feb 18, 2026