Cyber Resilience

CVE-2024-36111

Medium

Published: 25 July 2024

Published
25 July 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.6109 98.3th percentile
Risk Priority 49 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-36111 is a medium-severity Improper Restriction of Security Token Assignment (CWE-1259) vulnerability. Its CVSS base score is 6.3 (Medium).

Operationally, ranked in the top 1.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

KubePi, an open-source Kubernetes management panel, contains a JWT token verification flaw in versions 1.6.3 through 1.7.x. The default configuration file ships with an empty JWT signing key; although startup logic attempts to generate a random 32-byte replacement when the empty value is detected, the verification path continues to use the empty key, allowing crafted tokens to be accepted as valid.

An attacker with network access to the KubePi instance can therefore create a JWT signed with an empty key, bypass all authentication checks, and obtain full administrative control of the backend. The CVSS 6.3 rating reflects network attack vector, low complexity, and limited privileges required, resulting in confidentiality, integrity, and availability impacts within the application.

The project advisory GHSA-8q5r-cvcw-4wx7 states that the issue is resolved in version 1.8.0; administrators should upgrade immediately and verify that the JWT key field in the configuration file contains a non-empty value after deployment. The associated EPSS score of 0.61 shows no material post-disclosure increase.

EU & UK References

Vulnerability details

KubePi is a K8s panel. Starting in version 1.6.3 and prior to version 1.8.0, there is a defect in the KubePi JWT token verification. The JWT key in the default configuration file is empty. Although a random 32-bit string will…

more

be generated to overwrite the key in the configuration file when the key is detected to be empty in the configuration file reading logic, the key is empty during actual verification. Using an empty key to generate a JWT token can bypass the login verification and directly take over the back end. Version 1.8.0 contains a patch for this issue.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References