GHSA-5248-H45P-9PGW

Vulnerability from github – Published: 2024-07-12 13:56 – Updated: 2024-11-18 16:26
VLAI?
Summary
SQL Injection in the KubeClarity REST API
Details

Summary

A time/boolean SQL Injection is present in the following resource /api/applicationResources via the following parameter packageID

Details

As it can be seen here, while building the SQL Query the fmt.Sprintf function is used to build the query string without the input having first been subjected to any validation.

PoC

The following command should be able to trigger a basic version of the behavior: curl -i -s -k -X $'GET' \ -H $'Host: kubeclarity.test' \ $'https://kubeclarity.test/api/applicationResources?page=1&pageSize=50&sortKey=vulnerabilities&sortDir=DESC&packageID=c89973a6-4e7f-50b5-afe2-6bf6f4d3da0a\'HTTP/2'

Impact

While using the Helm chart, the impact of this vulnerability is limited since it allows read access only to the kuberclarity database, to which access is already given as far as I understand to regular users anyway. On the other hand, if Kuberclarity is deployed in a less secure way, this might allow access to more data then allowed or expected (beyond the limits of the KuberClarity database). The vulnerable line was introduced as part of the initial commit of Kubeclarity, so all versions up until the latest (2.23.1) are assumed vulnerable.

Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
7.1 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/openclarity/kubeclarity/backend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20240711173334-1d1178840703"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-39909"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-12T13:56:42Z",
    "nvd_published_at": "2024-07-12T15:15:11Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nA time/boolean SQL Injection is present in the following resource `/api/applicationResources` via the following parameter `packageID`\n\n### Details\nAs it can be seen [here](https://github.com/openclarity/kubeclarity/blob/main/backend/pkg/database/id_view.go#L79), while building the SQL Query the `fmt.Sprintf` function is used to build the query string without the input having first been subjected to any validation.\n\n### PoC\nThe following command should be able to trigger a basic version of the behavior:\n`curl -i -s -k -X $\u0027GET\u0027 \\\n    -H $\u0027Host: kubeclarity.test\u0027 \\\n    $\u0027https://kubeclarity.test/api/applicationResources?page=1\u0026pageSize=50\u0026sortKey=vulnerabilities\u0026sortDir=DESC\u0026packageID=c89973a6-4e7f-50b5-afe2-6bf6f4d3da0a\\\u0027HTTP/2\u0027`\n\n### Impact\nWhile using the Helm chart, the impact of this vulnerability is limited since it allows read access only to the kuberclarity database, to which access is already given as far as I understand to regular users anyway.\nOn the other hand, if Kuberclarity is deployed in a less secure way, this might allow access to more data then allowed or expected (beyond the limits of the KuberClarity database). The vulnerable line was introduced as part of the initial commit of Kubeclarity, so all versions up until the latest (2.23.1) are assumed vulnerable.",
  "id": "GHSA-5248-h45p-9pgw",
  "modified": "2024-11-18T16:26:51Z",
  "published": "2024-07-12T13:56:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclarity/kubeclarity/security/advisories/GHSA-5248-h45p-9pgw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39909"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclarity/kubeclarity/commit/1d1178840703a72d9082b7fc4aea0a3326c5d294"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclarity/kubeclarity"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclarity/kubeclarity/blob/main/backend/pkg/database/id_view.go#L79"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "SQL Injection in the KubeClarity REST API"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.