Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tNXhmLXg3cTYtM3JtN84AAv8J
KubeVela VelaUX APIserver has SSRF vulnerability
Impact
Users using the VelaUX APIServer could be affected by this vulnerability.
When using Helm Chart as the component delivery method, the request address of the warehouse is not restricted, and there is a blind SSRF vulnerability.
This issue is patched in 1.5.9 and 1.6.2.
References
Fix by: #5000
For more information
If you have any questions or comments about this advisory:
- Open an issue in KubeVela repo
- Email us at here
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tNXhmLXg3cTYtM3JtN84AAv8J
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 1 year ago
Updated: 8 months ago
CVSS Score: 4.9
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
Identifiers: GHSA-m5xf-x7q6-3rm7, CVE-2022-39383
References:
- https://github.com/kubevela/kubevela/security/advisories/GHSA-m5xf-x7q6-3rm7
- https://nvd.nist.gov/vuln/detail/CVE-2022-39383
- https://github.com/kubevela/kubevela/pull/5000
- https://pkg.go.dev/vuln/GO-2022-1113
- https://github.com/advisories/GHSA-m5xf-x7q6-3rm7
Blast Radius: 7.0
Affected Packages
go:github.com/oam-dev/kubevela
Dependent packages: 16Dependent repositories: 27
Downloads:
Affected Version Ranges: >= 1.6.0-alpha.1, < 1.6.2, < 1.5.9
Fixed in: 1.6.2, 1.5.9
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 0.0.9, 0.1.0, 0.1.1, 0.1.2, 0.2.0, 0.2.1, 0.2.2, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.3.8, 0.3.9, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.1.9, 1.1.10, 1.1.11, 1.1.13, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.3.9, 1.3.10, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.4.8, 1.4.9, 1.4.10, 1.4.11, 1.4.12, 1.4.13, 1.4.14, 1.5.0, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.6.0, 1.6.0-alpha.1, 1.6.0-alpha.2, 1.6.0-alpha.3, 1.6.0-alpha.4, 1.6.0-alpha.5, 1.6.0-alpha.6, 1.6.0-beta.1, 1.6.0-beta.2, 1.6.1
All unaffected versions: 1.5.9, 1.5.10, 1.5.11, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.6.8, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.7.7, 1.8.0, 1.8.1, 1.8.2, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.9.6, 1.9.7, 1.9.8, 1.9.9