CVE-2023-37916

MEDIUM

KubePi < 1.6.5 - Unauthenticated Password Hash Exposure via User Search Endpoint

Title source: llm

Description

KubePi is an opensource kubernetes management panel. The endpoint /kubepi/api/v1/users/search?pageNum=1&&pageSize=10 leak password hash of any user (including admin). A sufficiently motivated attacker may be able to crack leaded password hashes. This issue has been addressed in version 1.6.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References (1)

Core 1

Core References

Exploit, Third Party Advisory x_refsource_confirm

https://github.com/1Panel-dev/KubePi/security/advisories/GHSA-87f6-8gr7-pc6h

Scores

CVSS v3 6.5

EPSS 0.0068

EPSS Percentile 47.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-200

Status published

Products (2)

fit2cloud/kubepi < 1.6.5

KubeOperator/kubepi 0 - 1.6.5Go

Published Jul 21, 2023

Tracked Since Feb 18, 2026