Description
The api-server component returns a valid JWT string to user default with any password. Obtaining such token is possible to anyone by simply reaching the HTTPS address /cluster-admin.
An attacker could potentially steal the system administrator password or other secrets exchanged by the system administrator by invoking the administrative APIs of the cluster-admin web application.
Parameters of API invocations (like a password change request) are retained for 8 hours: during this time frame they are accessible with a valid JWT.
Solution
Just follow the instructions of Core update 1.1.0 ⚠, then do not forget to change the password of the cluster-admin application.