CVE-2024-36111

Name of the Vulnerable Software and Affected Versions KubePi versions 1.6.3 through 1.7.x

Description The issue is related to a defect in the KubePi JWT token verification. The JWT key in the default configuration file is empty. Although a random 32-bit string is generated to overwrite the key when it is detected to be empty, the key remains empty during actual verification. This allows an attacker to bypass login verification and take over the back end by using an empty key to generate a JWT token.

Recommendations For versions 1.6.3 through 1.7.x, update to version 1.8.0 to resolve the issue. As a temporary workaround, consider disabling the JWT token verification until a patch is available. Restrict access to the KubePi panel to minimize the risk of exploitation.