Core security flaw in version ≤ 1.0.1

A security flaw was found in NS8 Beta 1. The issue remediation is already available in Core update 1.1.0.

Further issue details will be disclosed on next Monday, Jun 26.

To fix the flaw, follow the update procedure documented here

Read that post carefully and run also the commands as described there!

1 Like


The api-server component returns a valid JWT string to user default with any password. Obtaining such token is possible to anyone by simply reaching the HTTPS address /cluster-admin.

An attacker could potentially steal the system administrator password or other secrets exchanged by the system administrator by invoking the administrative APIs of the cluster-admin web application.

Parameters of API invocations (like a password change request) are retained for 8 hours: during this time frame they are accessible with a valid JWT.


Just follow the instructions of Core update 1.1.0 ⚠, then do not forget to change the password of the cluster-admin application.

1 Like

This topic was automatically closed after 6 days. New replies are no longer allowed.