x/vulndb: potential Go vuln in github.com/KubeOperator/kubepi: GHSA-vjhf-8vqx-vqpq

[GoVulnBot]

In GitHub Security Advisory GHSA-vjhf-8vqx-vqpq, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/KubeOperator/kubepi	1.6.3	<= 1.6.2

Cross references: No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: TODO
    versions:
      - introduced: TODO (earliest fixed "1.6.3", vuln range "<= 1.6.2")
    packages:
      - package: github.com/KubeOperator/kubepi
description: "### Summary\nThe jwt authentication function of kubepi <= v1.6.2 uses
    hard-coded Jwtsigkeys, resulting in the same Jwtsigkeys for all online projects.
    This means that an attacker can forge any jwt token to take over the administrator
    account of any online project. \n\n### Details\n[`session.go`](https://github.com/KubeOperator/KubePi/blob/da784f5532ea2495b92708cacb32703bff3a45a3/internal/api/v1/session/session.go#L35),
    the use of hard-coded JwtSigKey allows an attacker to use this value to forge
    jwt tokens arbitrarily. The JwtSigKey is confidential and should not be hard-coded
    in the code.\n\n```golang\nvar JwtSigKey = []byte(\"signature_hmac_secret_shared_key\")\nvar
    jwtMaxAge = 10 * time.Minute\n\ntype Handler struct {\n\tuserService        user.Service\n\troleService
    \       role.Service\n\tclusterService     cluster.Service\n\trolebindingService
    rolebinding.Service\n\tldapService        ldap.Service\n\tjwtSigner          *jwt.Signer\n}\n```\n###
    Affected Version\n<= v1.6.2\n\n### Patches\nThe vulnerability has been fixed in
    [v1.6.3](https://github.com/KubeOperator/KubePi/releases/tag/v1.6.3).\n\nhttps://github.com/KubeOperator/KubePi/commit/3be58b8df5bc05d2343c30371dd5fcf6a9fbbf8b
    : JWT key can be specified in app.yml, if leave it blank a random key will be
    used.\n\n### Workarounds\nIt is recommended to upgrade the version to [v1.6.3](https://github.com/KubeOperator/KubePi/releases/tag/v1.6.3).\n\n###
    For more information\nIf you have any questions or comments about this advisory,
    please [open an issue](https://github.com/KubeOperator/KubePi/issues)."
cves:
  - CVE-2023-22463
ghsas:
  - GHSA-vjhf-8vqx-vqpq

[gopherbot]

Change https://go.dev/cl/464316 mentions this issue: data/excluded: batch add excluded reports

[gopherbot]

Change https://go.dev/cl/592759 mentions this issue: data/reports: unexclude 75 reports

[gopherbot]

Change https://go.dev/cl/606781 mentions this issue: data/reports: unexclude 20 reports (1)