Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/KubeOperator/KubeOperator: GHSA-jxgp-jgh3-8jc8 #1466

Closed
GoVulnBot opened this issue Jan 9, 2023 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/KubeOperator/KubeOperator: GHSA-jxgp-jgh3-8jc8 #1466

GoVulnBot opened this issue Jan 9, 2023 · 1 comment
Assignees
@julieqiu
Labels
excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable.

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-jxgp-jgh3-8jc8, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/KubeOperator/KubeOperator <= 3.16.3

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: TODO
    versions:
      - {}
    packages:
      - package: github.com/KubeOperator/KubeOperator
description: |-
    ### Summary
    API interfaces with unauthorized access will leak sensitive information
    /api/v1/clusters/kubeconfig/<clusterName>
    ### Details
    Routes using v1 without any restrictions
    <img width="930" alt="image" src="https://user-images.githubusercontent.com/35884266/211258033-84aa14fb-01d5-459c-af81-e48b7552fabf.png">

    Directly pass in `downloadKubeconfig` according to the cluster name

    <img width="960" alt="image" src="https://user-images.githubusercontent.com/35884266/211258011-d885fda6-06c3-4603-be4a-38d9c9b918b4.png">
    pkg/router/v1/white.go

    no restrictions
    ```go
    func downloadKubeconfig(ctx context.Context) {
    	clusterName := ctx.Params().GetString("name")
    	ctx.Header("Content-Disposition", "attachment")
    	ctx.Header("filename", fmt.Sprintf("%s-config", clusterName))
    	ctx.Header("Content-Type", "application/download")
    	clusterService := service.NewClusterService()
    	str, err := clusterService.GetKubeconfig(clusterName)
    	if err != nil {
    		_, _ = ctx.JSON(err)
    		ctx.StatusCode(http.StatusInternalServerError)
    	}
    	_, _ = ctx.WriteString(str)
    }
    ```
    <img width="872" alt="image" src="https://user-images.githubusercontent.com/35884266/211258106-79204452-b0b8-4d02-b774-1c2b61dd6bf2.png">

    ### Impact
    This is an unauthorized access to the kubeconfig vulnerability, which can be used to take over the cluster under certain conditions
cves:
  - CVE-2023-22480
ghsas:
  - GHSA-jxgp-jgh3-8jc8
@julieqiu julieqiu added the excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable. label Jan 24, 2023
@julieqiu julieqiu self-assigned this Jan 30, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/464316 mentions this issue: data/excluded: batch add excluded reports

@julieqiu julieqiu mentioned this issue Jan 31, 2023
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@julieqiu julieqiu

Labels
excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@julieqiu @gopherbot @GoVulnBot