### Summary
API interfaces with unauthorized access will leak sensitive information
/api/v1/clusters/kubeconfig/
### Details
Routes using v1 without any restrictions

Directly pass in `downloadKubeconfig` according to the cluster name

pkg/router/v1/white.go

no restrictions
“`go
func downloadKubeconfig(ctx context.Context) {
clusterName := ctx.Params().GetString(“name”)
ctx.Header(“Content-Disposition”, “attachment”)
ctx.Header(“filename”, fmt.Sprintf(“%s-config”, clusterName))
ctx.Header(“Content-Type”, “application/download”)
clusterService := service.NewClusterService()
str, err := clusterService.GetKubeconfig(clusterName)
if err != nil {
_, _ = ctx.JSON(err)
ctx.StatusCode(http.StatusInternalServerError)
}
_, _ = ctx.WriteString(str)
}
“`

### Impact
This is an unauthorized access to the kubeconfig vulnerability, which can be used to take over the cluster under certain conditionsRead More