Kubetail Cross-Site WebSocket Hijacking Vulnerability Allowing Unauthorized Log Access

A Cross-Site WebSocket Hijacking vulnerability has been identified in Kubetail, a real-time logging dashboard for Kubernetes, affecting versions prior to 0.14.0. The issue arises because the dashboard's WebSocket endpoints did not properly validate the Origin header during connection upgrades. This flaw allows a malicious web page to open a WebSocket connection to the dashboard of a user with an active Kubetail session, enabling the attacker to read Kubernetes logs in real time. The vulnerability impacts both the desktop deployment, which defaults to 'localhost:7500', and cluster deployments typically behind an Ingress with HTTP basic authentication.

Impact

Exploitation of this vulnerability allows an attacker to read Kubernetes logs from an authenticated user. While the access is read-only, it can be significant as container logs may contain sensitive information such as credentials, bearer tokens, internal hostnames, customer PII, and other secrets. The desktop deployment is particularly vulnerable because the dashboard is accessible at a predictable localhost URL, requires no network reachability from the attacker, and the browser automatically includes credentials in the WebSocket handshake. For cluster deployments with HTTP basic auth, the browser's automatic resending of authentication credentials on the WebSocket upgrade request enables the same attack.

Reproduction

To reproduce this vulnerability, an authenticated Kubetail user must be convinced to visit a controlled web page using Google Chrome or Microsoft Edge. Once the page is loaded, the attacker can establish a WebSocket connection to the user's Kubetail dashboard, bypassing the inadequate Origin header validation, and begin streaming Kubernetes logs from the victim's session.

Remediation

Users can upgrade to Kubetail Dashboard version 0.14.0 or later, Kubetail Helm Chart version 0.23.0 or later, or Kubetail CLI version 0.16.0 or later. If an immediate upgrade is not possible, desktop users should stop the dashboard when not in use and avoid visiting untrusted sites in the same browser profile. For cluster deployments, access should be restricted to a VPN, bastion, or office network, and a stronger authentication layer added in front of basic auth.