Multiple vulnerabilities in 1Panel-dev KubePi
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2023-37917 CVE-2023-37916 |
| CWE-ID | CWE-264 CWE-200 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #2 is available. |
| Vulnerable software |
KubePi Client/Desktop applications / Other client software |
| Vendor | 1Panel-dev |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU78645
Risk: Medium
CVSSv4.0: 5.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-37917
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote user to escalate privileges on the system.
The vulnerability exists due to application does not properly impose security restrictions, which leads to security restrictions bypass and privilege escalation.
MitigationInstall updates from vendor's website.
Vulnerable software versionsKubePi: 1.0.0 - 1.6.4
CPE2.3- cpe:2.3:a:1panel-dev:kubepi:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:1panel-dev:kubepi:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:1panel-dev:kubepi:1.1.0:*:*:*:*:*:*:*
https://github.com/1Panel-dev/KubePi/security/advisories/GHSA-757p-vx43-fp9r
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Information disclosure
EUVDB-ID: #VU78646
Risk: Medium
CVSSv4.0: 5.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2023-37916
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application. A remote user can gain unauthorized access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsKubePi: 1.0.0 - 1.6.4
CPE2.3- cpe:2.3:a:1panel-dev:kubepi:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:1panel-dev:kubepi:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:1panel-dev:kubepi:1.1.0:*:*:*:*:*:*:*
https://github.com/1Panel-dev/KubePi/security/advisories/GHSA-87f6-8gr7-pc6h
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
