Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01MjQ4LWg0NXAtOXBnd84AA90n
SQL Injection in the KubeClarity REST API
Summary
A time/boolean SQL Injection is present in the following resource /api/applicationResources via the following parameter packageID
Details
As it can be seen here, while building the SQL Query the fmt.Sprintf function is used to build the query string without the input having first been subjected to any validation.
PoC
The following command should be able to trigger a basic version of the behavior:
curl -i -s -k -X $'GET' \ -H $'Host: kubeclarity.test' \ $'https://kubeclarity.test/api/applicationResources?page=1&pageSize=50&sortKey=vulnerabilities&sortDir=DESC&packageID=c89973a6-4e7f-50b5-afe2-6bf6f4d3da0a\'HTTP/2'
Impact
While using the Helm chart, the impact of this vulnerability is limited since it allows read access only to the kuberclarity database, to which access is already given as far as I understand to regular users anyway.
On the other hand, if Kuberclarity is deployed in a less secure way, this might allow access to more data then allowed or expected (beyond the limits of the KuberClarity database). The vulnerable line was introduced as part of the initial commit of Kubeclarity, so all versions up until the latest (2.23.1) are assumed vulnerable.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01MjQ4LWg0NXAtOXBnd84AA90n
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 4 months ago
Updated: 5 days ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-5248-h45p-9pgw, CVE-2024-39909
References:
- https://github.com/openclarity/kubeclarity/security/advisories/GHSA-5248-h45p-9pgw
- https://github.com/openclarity/kubeclarity/commit/1d1178840703a72d9082b7fc4aea0a3326c5d294
- https://github.com/openclarity/kubeclarity/blob/main/backend/pkg/database/id_view.go#L79
- https://nvd.nist.gov/vuln/detail/CVE-2024-39909
- https://github.com/advisories/GHSA-5248-h45p-9pgw
Blast Radius: 1.0
Affected Packages
go:github.com/openclarity/kubeclarity/backend
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: < 0.0.0-20240711173334-1d1178840703
Fixed in: 0.0.0-20240711173334-1d1178840703
All affected versions: 0.0.0-20221107060337-514f08c02306, 0.0.0-20221118114824-de631156cfd9, 0.0.0-20221123160455-dd042bb7bc65, 0.0.0-20221202152925-cf188c2a1e48, 0.0.0-20221215121109-a32c0bdb3661, 0.0.0-20230103062317-dce58e59584a, 0.0.0-20230103084820-8fb35ff0ddd5, 0.0.0-20230113132525-8bfc518e128e, 0.0.0-20230115121316-7e3476948604, 0.0.0-20230116103936-01a8c4a15229, 0.0.0-20230116154833-8620cd41af81, 0.0.0-20230117084115-73b6484c2ada, 0.0.0-20230117105324-aaab7dcf2fc9, 0.0.0-20230118111251-6ea43893447b, 0.0.0-20230119112010-3c341b776fc7, 0.0.0-20230203162631-4ed68e7b9894, 0.0.0-20230226204943-7b089a31d85b, 0.0.0-20230227140627-948af6d71622, 0.0.0-20230305103956-6ef366d4c8a4, 0.0.0-20230308115322-1a23e70826b5, 0.0.0-20230315112024-d5856546d7c4, 0.0.0-20230326154111-f234f43fbcb3, 0.0.0-20230327091108-7f4fa848f6cc, 0.0.0-20230417084923-150e56a5139d, 0.0.0-20230418082848-e160630db05e, 0.0.0-20230418104915-444ec62e2b56, 0.0.0-20230418153321-c0cbf980c6d0, 0.0.0-20230419060619-2a1e2415993c, 0.0.0-20230419082939-52f2e153c8e9, 0.0.0-20230424123337-393d9e1e0632, 0.0.0-20230424132825-84cfaf7f31c7, 0.0.0-20230503041851-dcecc1e32186, 0.0.0-20230503045300-4d555a59869c, 0.0.0-20230503053359-63a6482c8112, 0.0.0-20230503072245-c66fb599d44d, 0.0.0-20230503074245-0199b41a7b8f, 0.0.0-20230504082640-4318a6f52514, 0.0.0-20230507114343-5566bfdd78df, 0.0.0-20230508132218-d1185e6e6377, 0.0.0-20230510090951-f8c635edbafa, 0.0.0-20230518100815-225541afca6f, 0.0.0-20230518134352-449bb16dc49b, 0.0.0-20230524142431-f4b84dbf78df, 0.0.0-20230528071446-fe1ae5d481e4, 0.0.0-20230530111553-e5fff50e5387, 0.0.0-20230531084655-ee0830c03592, 0.0.0-20230531170143-94c7c0954b87, 0.0.0-20230607141603-8711f5fc5c44, 0.0.0-20230611140216-efc7b0c1ff02, 0.0.0-20230628115707-987c27ddfc67, 0.0.0-20230628132113-239cee081fe5, 0.0.0-20230705103948-15cefca8ca45, 0.0.0-20230709084642-6c129dd507f4, 0.0.0-20230718034658-4fdda45754a8, 0.0.0-20230718161517-dfd66b59f6b4, 0.0.0-20230719201435-b3c2297d386c, 0.0.0-20230721090116-cbbfee3e2937, 0.0.0-20230730131553-dffc4c294c51, 0.0.0-20230802105151-2caad09a4e94, 0.0.0-20230807092620-9124bb50e323, 0.0.0-20230903080347-a4922f815297, 0.0.0-20230905112621-22b3442a5e20, 0.0.0-20230906110228-9da776cb074a, 0.0.0-20230906135801-736f7b53c3e5, 0.0.0-20230907110354-faccbffc61e6, 0.0.0-20230910131555-89b14c11a0a0, 0.0.0-20230911112511-e52ab260775a, 0.0.0-20230911134449-8ccdeb49e76f, 0.0.0-20230911145448-da64782758f6, 0.0.0-20230912073615-35847475a703, 0.0.0-20230912113315-7aa17a5e0ada, 0.0.0-20230912132516-d12ae201c924, 0.0.0-20230919093336-30e3c0ea31f4, 0.0.0-20230926161332-01dbaa56488f, 0.0.0-20230928104905-5d942857b75f, 0.0.0-20231001113046-804116515b58, 0.0.0-20231003113853-217c5fc8c9f1, 0.0.0-20231023124807-034a6f24faed, 0.0.0-20231028111304-952f5448797a, 0.0.0-20231105124619-28536d550e90, 0.0.0-20231105130854-7285dcf39c1c, 0.0.0-20231105135111-161f299e9720, 0.0.0-20231106185235-7f39d7bfeb33, 0.0.0-20231106192127-d7778d438872, 0.0.0-20231107093511-8d616dab0833, 0.0.0-20231107095648-5ac3048b7a78, 0.0.0-20231219062715-948ac4b46274, 0.0.0-20231219072723-6d01a99257a5, 0.0.0-20231219083916-bfc7f0dc06fa, 0.0.0-20231220064120-6ef30a4e9a65, 0.0.0-20231226060048-d4857440fc12, 0.0.0-20231226073505-31aed868104d, 0.0.0-20231226082814-14e5ee0984b1, 0.0.0-20231228082645-722db2dc4f6e, 0.0.0-20240109080422-32faff4dbb27, 0.0.0-20240111133845-5f6b41116110
All unaffected versions: