id: kubernetes-pods-api

info:
  name: Kubernetes Pods - API Discovery & Remote Code Execution
  author: ilovebinbash,geeknik,0xtavian
  severity: critical
  description: A Kubernetes Pods API was discovered. When the service port is available, unauthenticated users can execute commands inside the container.
  reference:
    - https://github.com/officialhocc/Kubernetes-Kubelet-RCE
    - https://blog.binaryedge.io/2018/12/06/kubernetes-being-hijacked-worldwide/
  metadata:
    max-request: 2
  tags: k8,unauth,kubernetes,devops,misconfig

http:
  - method: GET
    path:
      - '{{BaseURL}}/pods'
      - '{{BaseURL}}/api/v1/pods'

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "apiVersion"

      - type: word
        words:
          - "application/json"
        part: header

      - type: status
        status:
          - 200

# digest: 490a004630440220143f86f473fcb74736d85435c11b69e2645ba37764c811f4e110e562a564f86f02203653a4866258336dcab5cc24bd804ff82ececf124d7ca7f8d9b4685e6bf71b1b:922c64590222798bb761d5b6d8e72950