CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-2845 – Improper Access Control in cloudexplorer-dev/cloudexplorer-lite
https://notcve.org/view.php?id=CVE-2023-2845
Improper Access Control in GitHub repository cloudexplorer-dev/cloudexplorer-lite prior to v1.1.0. • https://github.com/cloudexplorer-dev/cloudexplorer-lite/commit/d9f55a44e579d312977b02317b2020de758b763a https://huntr.dev/bounties/ac10e81c-998e-4425-9d74-b985d9b0254c • CWE-284: Improper Access Control •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2023-2844 – Authorization Bypass Through User-Controlled Key in cloudexplorer-dev/cloudexplorer-lite
https://notcve.org/view.php?id=CVE-2023-2844
Authorization Bypass Through User-Controlled Key in GitHub repository cloudexplorer-dev/cloudexplorer-lite prior to v1.1.0. • https://github.com/cloudexplorer-dev/cloudexplorer-lite/commit/d9f55a44e579d312977b02317b2020de758b763a https://huntr.dev/bounties/6644b36e-603d-4dbe-8ee2-5df8b8fb2e22 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 9.9EPSS: 0%CPEs: 2EXPL: 1CVE-2023-28110 – JumpServer Koko vulnerable to Command Injection for Kubernetes Connection
https://notcve.org/view.php?id=CVE-2023-28110
Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, refactoring coco's SSH/SFTP service and Web Terminal service. Prior to version 2.28.8, using illegal tokens to connect to a Kubernetes cluster through Koko can result in the execution of dangerous commands that may disrupt the Koko container environment and affect normal usage. The vulnerability has been fixed in v2.28.8. • https://github.com/jumpserver/jumpserver/releases/tag/v2.28.8 https://github.com/jumpserver/jumpserver/security/advisories/GHSA-6x5p-jm59-jh29 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 7.5EPSS: 12%CPEs: 1EXPL: 0CVE-2023-22478 – KubePi is vulnerable to missing authorization
https://notcve.org/view.php?id=CVE-2023-22478
KubePi is a modern Kubernetes panel. The API interfaces with unauthorized entities and may leak sensitive information. This issue has been patched in version 1.6.4. There are currently no known workarounds. • https://github.com/KubeOperator/KubePi/commit/0c6774bf5d9003ae4d60257a3f207c131ff4a6d6 https://github.com/KubeOperator/KubePi/releases/tag/v1.6.4 https://github.com/KubeOperator/KubePi/security/advisories/GHSA-gqx8-hxmv-c4v4 • CWE-862: Missing Authorization •
CVSS: 9.8EPSS: 24%CPEs: 1EXPL: 0CVE-2023-22480 – KubeOperator is vulnerable to unauthorized access to system API
https://notcve.org/view.php?id=CVE-2023-22480
KubeOperator is an open source Kubernetes distribution focused on helping enterprises plan, deploy and operate production-level K8s clusters. In KubeOperator versions 3.16.3 and below, API interfaces with unauthorized entities and can leak sensitive information. This vulnerability could be used to take over the cluster under certain conditions. This issue has been patched in version 3.16.4. • https://github.com/KubeOperator/KubeOperator/commit/7ef42bf1c16900d13e6376f8be5ecdbfdfb44aaf https://github.com/KubeOperator/KubeOperator/releases/tag/v3.16.4 https://github.com/KubeOperator/KubeOperator/security/advisories/GHSA-jxgp-jgh3-8jc8 • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •