Home > Vulnerability Database > CVE-2024-36111

Mend.io Vulnerability Database

CVE-2024-36111

Good to know:

Date: July 25, 2024

KubePi is a K8s panel. Starting in version 1.6.3 and prior to version 1.8.0, there is a defect in the KubePi JWT token verification. The JWT key in the default configuration file is empty. Although a random 32-bit string will be generated to overwrite the key in the configuration file when the key is detected to be empty in the configuration file reading logic, the key is empty during actual verification. Using an empty key to generate a JWT token can bypass the login verification and directly take over the back end. Version 1.8.0 contains a patch for this issue.

Language: Go

Severity Score

6.3

Related Resources (3)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-36111

Url: https://github.com/1Panel-dev/KubePi/security/advisories/GHSA-8q5r-cvcw-4wx7

Url: https://www.mend.io/vulnerability-database/CVE-2024-36111

Severity Score

6.3

Weakness Type (CWE)

Improper Restriction of Security Token Assignment

CWE-1259

Top Fix

Upgrade Version

Upgrade to version github.com/1Panel-dev/KubePi-v1.8.0

Learn More

CVSS v3.1

Base Score:	6.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2024-36111

Good to know:

Date: July 25, 2024

Language: Go

Severity Score

Related Resources (3)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?