CVE-2023-22479 – github.com/kubeoperator/kubepi

Package

Manager: go
Name: github.com/kubeoperator/kubepi
Vulnerable Version: >=0 <1.6.4

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00091 pctl0.26794

Details

KubePi session fixation attack allows an attacker to hijack a legitimate user session. ### Summary A session fixation attack allows an attacker to hijack a legitimate user session. The attack investigates a flaw in how the online application handles the session ID, especially the susceptible web application. ### Affected Version <= v1.6.3 ### Patches The vulnerability has been fixed in [v1.6.4](https://github.com/KubeOperator/KubePi/releases/tag/v1.6.4). https://github.com/KubeOperator/KubePi/commit/1e9c550356c1a425a742480efcf743d373e98dcb : A session fixation attack allows an attacker to hijack a legitimate user session. ### Workarounds It is recommended to upgrade the version to [v1.6.4](https://github.com/KubeOperator/KubePi/releases/tag/v1.6.4). ### For more information If you have any questions or comments about this advisory, please [open an issue](https://github.com/KubeOperator/KubePi/issues). This vulnerability is reported by [sachinh09](https://huntr.dev/users/sachinh09/) from [huntr.dev](https://huntr.dev/).

Metadata

Created: 2023-01-09T21:57:10Z
Modified: 2023-07-21T18:02:01Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-v4w5-r2xc-7f8h/GHSA-v4w5-r2xc-7f8h.json
CWE IDs: ["CWE-384"]
Alternative ID: GHSA-v4w5-r2xc-7f8h
Finding: F280
Auto approve: 1