An issue pertaining to CWE-259: Use of Hard-coded Password was discovered in oslabs-beta ThermaKube master.
The ThermaKube application contains a password hardcoded into the source code. An attacker who discovers this password (e.g., by analyzing the publicly available GitHub repository) can use it to authenticate to the system without possessing legitimate credentials. The attack vector is network-based, requires no privileges or user interaction.
An attacker can gain full access to the system with compromise of confidentiality, integrity, and availability of data — which corresponds to maximum scores in each of these categories in the CVSS vector.
The hardcoded password must be immediately removed from the source code and replaced with a secure credential management mechanism (e.g., environment variables, vault). Patches available from the vendor should be applied according to the references. It is also recommended to rotate all credentials that may have been exposed.
oslabs-beta ThermaKube, master branch (specific versions were not indicated in the description — check vendor references)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H