Impact
The /registercrd endpoint in KubePlus 4.14's kubeconfiggenerator component processes user-supplied chartName data by directly concatenating it into a shell command executed via subprocess.Popen with shell=True. This lack of input sanitization allows an attacker to embed malicious shell commands, enabling unrestricted code execution on the host system. The weakness is a classic command injection (CWE-94).
Affected Systems
KubePlus version 4.14, specifically the kubeconfiggenerator component whose /registercrd API endpoint accepts a chartName parameter.
Risk and Exploitability
The vulnerability has a CVSS score of 8.8, indicating high severity, yet its EPSS score of 2% suggests a low exploitation probability. It is not listed in CISA's KEV catalog. The from the fact that the vulnerable functionality is exposed as an HTTP API endpoint that accepts user-supplied parameters. An attacker would need to send a crafted HTTP request to the /registercrd endpoint, which could be accessible through privileged or exposed interfaces. If successful, the attacker can achieve arbitrary shell execution, effectively taking full control over the kubeconfiggenerator service.
OpenCVE Enrichment