CVE-2023-22463

Public Exploit
KubePi's Hardcoded Jwtsigkeys allows malicious actor to login with a forged JWT token

Description

KubePi is a k8s panel. The jwt authentication function of KubePi through version 1.6.2 uses hard-coded Jwtsigkeys, resulting in the same Jwtsigkeys for all online projects. This means that an attacker can forge any jwt token to take over the administrator account of any online project. Furthermore, they may use the administrator to take over the k8s cluster of the target enterprise. `session.go`, the use of hard-coded JwtSigKey, allows an attacker to use this value to forge jwt tokens arbitrarily. The JwtSigKey is confidential and should not be hard-coded in the code. The vulnerability has been fixed in 1.6.3. In the patch, JWT key is specified in app.yml. If the user leaves it blank, a random key will be used. There are no workarounds aside from upgrading.

Category

9.8
CVSS
Severity: Critical
CVSS 3.1 •
CVSS 3.0 •
EPSS 89.24% Top 5%
Third-Party Advisory github.com Third-Party Advisory github.com Third-Party Advisory github.com Third-Party Advisory github.com
Affected: KubeOperator KubePi
Published at:
Updated at:

References

Link Tags
https://github.com/KubeOperator/KubePi/security/advisories/GHSA-vjhf-8vqx-vqpq exploit third party advisory patch
https://github.com/KubeOperator/KubePi/commit/3be58b8df5bc05d2343c30371dd5fcf6a9fbbf8b third party advisory patch
https://github.com/KubeOperator/KubePi/blob/da784f5532ea2495b92708cacb32703bff3a45a3/internal/api/v1/session/session.go#L35 third party advisory
https://github.com/KubeOperator/KubePi/releases/tag/v1.6.3 third party advisory release notes

Frequently Asked Questions

What is the severity of CVE-2023-22463?
CVE-2023-22463 has been scored as a critical severity vulnerability.
How to fix CVE-2023-22463?
To fix CVE-2023-22463, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-22463 being actively exploited in the wild?
It is possible that CVE-2023-22463 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~89% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-22463?
CVE-2023-22463 affects KubeOperator KubePi.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.