[github.com/KubeOperator/kubepi] KubePi may allow unauthorized access to system API

Summary

API interfaces with unauthorized access will leak sensitive information
/kubepi/api/v1/systems/operation/logs/search
/kubepi/api/v1/systems/login/logs/search

This vulnerability also exists in https://github.com/KubeOperator/KubeOperator

Details

The vulnerability is located in
KubePi/internal/api/v1/v1.go

sp.Post("/login/logs/search", handler.LoginLogsSearch()) directly uses the v1 route without middleware authentication

Follow up found no role based authentication

sp.Post("/operation/logs/search", handler.OperationLogsSearch()) the same as above

Impact

KubePI <=1.6.3

References

https://github.com/KubeOperator/KubePi/security/advisories/GHSA-gqx8-hxmv-c4v4
https://github.com/advisories/GHSA-gqx8-hxmv-c4v4

TechMedia