What is CVE-2023-22463?

CVE-2023-22463 is a critical-severity vulnerability in Kubeoperator Kubepi, classified under Use of Hard-coded Credentials. CVSS score: 9.8/10. Published 2023-01-04.

How severe is CVE-2023-22463?

Critical severity. CVSS v3 base score is 9.8 out of 10.

Is CVE-2023-22463 known to be exploited?

12 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Kubeoperator Kubepi

CVE-2023-22463

KubePi is a k8s panel. The jwt authentication function of KubePi through version 1.6.2 uses hard-coded Jwtsigkeys, resulting in the same Jwtsigkeys for all online projects. This means that an attacker can forge any jwt token to take over t…

EPSS: 0.915 (99.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Kubeoperator Kubepi — versions < 1.6.3

Weakness classification (CWE)

CWE-798 — Use of Hard-coded Credentials

Public proof-of-concept exploits

References

https://github.com/KubeOperator/KubePi/security/advisories/GHSA-vjhf-8vqx-vqpq (x_refsource_CONFIRM)
https://github.com/KubeOperator/KubePi/commit/3be58b8df5bc05d2343c30371dd5fcf6a9fbbf8b (x_refsource_MISC)
https://github.com/KubeOperator/KubePi/blob/da784f5532ea2495b92708cacb32703bff3a45a3/internal/api/v1/session/session.go#L35 (x_refsource_MISC)
https://github.com/KubeOperator/KubePi/releases/tag/v1.6.3 (x_refsource_MISC)

Frequently asked questions

What is CVE-2023-22463?: CVE-2023-22463 is a critical-severity vulnerability in Kubeoperator Kubepi, classified under Use of Hard-coded Credentials. CVSS score: 9.8/10. Published 2023-01-04.
How severe is CVE-2023-22463?: Critical severity. CVSS v3 base score is 9.8 out of 10.
Is CVE-2023-22463 known to be exploited?: 12 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.