CVE-2023-37916

Name of the Vulnerable Software and Affected Versions KubePi versions prior to 1.6.5

Description The issue concerns the leakage of password hashes for any user, including administrators, through the /kubepi/api/v1/users/search endpoint. This could allow a motivated attacker to crack the leaked password hashes, potentially leading to unauthorized access. The problem is associated with leaking confidential information and can lead to password cracking attacks.

Recommendations For versions prior to 1.6.5, upgrade to version 1.6.5 to address the issue. As a temporary workaround, consider restricting access to the /kubepi/api/v1/users/search endpoint until the upgrade is possible. Avoid using the pageNum and pageSize parameters in the affected API endpoint until the issue is resolved.