New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CVE-2022-45933] Critical Security Issue that could lead to full cluster takeover #95
Comments
|
Thanks for flagging this. Sorry it won't be done ASAP as I have other priorities |
|
You're welcome. Sure I understand. Excuse me if I offended you by asking for this to be done ASAP. it wasn't intended. It was out of panic and concern that's all. I'm sure you can imagine the impact if this is exposed to a malicious actor. However, authentication would reduce the amount of information disclosure to zero which I believe is the best option. of course, I'll be glad to hear a better opinion. I'm positive that you also won't disagree that jeopardizing the security of an entire cluster would greatly outweigh a great solution like yours. Even if it's totally open-source and free. Kindly mind that responsibility. Thank you again. |
|
Additionally - especially if you don't have time to fix this issue quickly - please add a big note to the README mentioning this security issue. |
Hello,
may you please consider adding authentication to KubeView?
a
curlto the the API for thekube-systemnamespace would return certificate files that can be used for authentication and ultimately lead to taking full control over the k8s cluster!the request would be like this:
and using the certs for auth like below:
Please fix this ASAP to make sure everyone who uses this is secure.
Thanks in advance :)
The text was updated successfully, but these errors were encountered: