CVE-2022-45933

Name of the Vulnerable Software and Affected Versions KubeView versions 0.1.31 and earlier

Description The issue allows attackers to obtain control of a Kubernetes cluster because the api/scrape/kube-system endpoint does not require authentication, and it retrieves certificate files that can be used for authentication as kube-admin. The vendor considers KubeView a "fun side project and a learning exercise," and not "very secure." A real-world incident involved a malicious actor extracting credentials and potentially obtaining control of a Kubernetes cluster during a pentest. The exploitation involved navigating to a vulnerable KubeView UI, extracting sensitive information, and cluster configurations with a custom script.

Recommendations For versions 0.1.31 and earlier, consider disabling access to the api/scrape/kube-system endpoint until a patch is available. Restrict the use of the kube-admin certificate to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.