{
  "schema_version": "1.4.0",
  "id": "GHSA-vjhf-8vqx-vqpq",
  "modified": "2023-01-06T17:37:58Z",
  "published": "2023-01-06T17:37:58Z",
  "aliases": [
    "CVE-2023-22463"
  ],
  "summary": "KubePi allows malicious actor to login with a forged JWT token via Hardcoded Jwtsigkeys",
  "details": "### Summary\nThe jwt authentication function of kubepi <= v1.6.2 uses hard-coded Jwtsigkeys, resulting in the same Jwtsigkeys for all online projects. This means that an attacker can forge any jwt token to take over the administrator account of any online project. \n\n### Details\n[`session.go`](https://github.com/KubeOperator/KubePi/blob/da784f5532ea2495b92708cacb32703bff3a45a3/internal/api/v1/session/session.go#L35), the use of hard-coded JwtSigKey allows an attacker to use this value to forge jwt tokens arbitrarily. The JwtSigKey is confidential and should not be hard-coded in the code.\n\n```golang\nvar JwtSigKey = []byte(\"signature_hmac_secret_shared_key\")\nvar jwtMaxAge = 10 * time.Minute\n\ntype Handler struct {\n\tuserService        user.Service\n\troleService        role.Service\n\tclusterService     cluster.Service\n\trolebindingService rolebinding.Service\n\tldapService        ldap.Service\n\tjwtSigner          *jwt.Signer\n}\n```\n### Affected Version\n<= v1.6.2\n\n### Patches\nThe vulnerability has been fixed in [v1.6.3](https://github.com/KubeOperator/KubePi/releases/tag/v1.6.3).\n\nhttps://github.com/KubeOperator/KubePi/commit/3be58b8df5bc05d2343c30371dd5fcf6a9fbbf8b : JWT key can be specified in app.yml, if leave it blank a random key will be used.\n\n### Workarounds\nIt is recommended to upgrade the version to [v1.6.3](https://github.com/KubeOperator/KubePi/releases/tag/v1.6.3).\n\n### For more information\nIf you have any questions or comments about this advisory, please [open an issue](https://github.com/KubeOperator/KubePi/issues).",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/KubeOperator/kubepi"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.3"
            }
          ]
        }
      ],
      "database_specific": {
        "last_known_affected_version_range": "<= 1.6.2"
      }
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/KubeOperator/KubePi/security/advisories/GHSA-vjhf-8vqx-vqpq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22463"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KubeOperator/KubePi/commit/3be58b8df5bc05d2343c30371dd5fcf6a9fbbf8b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/KubeOperator/KubePi"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KubeOperator/KubePi/blob/da784f5532ea2495b92708cacb32703bff3a45a3/internal/api/v1/session/session.go#L35"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KubeOperator/KubePi/releases/tag/v1.6.3"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-06T17:37:58Z",
    "nvd_published_at": "2023-01-04T16:15:00Z"
  }
}