session fixation in kubeoperator/kubepi

Valid

Reported on

Jan 6th 2023

Description

A session fixation attack allows an attacker to hijack a legitimate user session. The attack investigates a flaw in how the online application handles the session ID, especially the susceptible web application.

Proof of Concept

https://drive.google.com/drive/folders/1n6Dgr2h6LqYr8OkvcvSVvfU_HA71GyFU?usp=sharing

Impact

A successful session fixation attack gives the attacker access to the victim's account. This could mean access to higher level privileges or the ability to look at sensitive data.

We are processing your report and will contact the kubeoperator/kubepi team within 24 hours. 3 months ago
sachinh09
3 months ago

Researcher

Application Version is KubePi API V1.0

We have contacted a member of the kubeoperator/kubepi team and are waiting to hear back 3 months ago
kubeoperator/kubepi maintainer validated this vulnerability 3 months ago
sachinh09 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
sachinh09
3 months ago

Researcher

Hello Team, Thanks for the respond, Could you kindly assist me in receiving the bounty?

wanghe marked this as fixed in v1.6.4 with commit 1e9c55 3 months ago
wanghe has been awarded the fix bounty
This vulnerability will not receive a CVE
wanghe published this vulnerability 3 months ago
sachinh09
3 months ago

Researcher

Hello Wanghe, this is a high vulnerability can you please assign CVE

to join this conversation