Skip to content

SQL Injection in the KubeClarity REST API

Moderate severity GitHub Reviewed Published Jul 12, 2024 in openclarity/openclarity • Updated Sep 6, 2024

Package

gomod github.com/openclarity/kubeclarity/backend (Go)

Affected versions

< 0.0.0-20240711173334-1d1178840703

Patched versions

0.0.0-20240711173334-1d1178840703

Description

Summary

A time/boolean SQL Injection is present in the following resource /api/applicationResources via the following parameter packageID

Details

As it can be seen here, while building the SQL Query the fmt.Sprintf function is used to build the query string without the input having first been subjected to any validation.

PoC

The following command should be able to trigger a basic version of the behavior:
curl -i -s -k -X $'GET' \ -H $'Host: kubeclarity.test' \ $'https://kubeclarity.test/api/applicationResources?page=1&pageSize=50&sortKey=vulnerabilities&sortDir=DESC&packageID=c89973a6-4e7f-50b5-afe2-6bf6f4d3da0a\'HTTP/2'

Impact

While using the Helm chart, the impact of this vulnerability is limited since it allows read access only to the kuberclarity database, to which access is already given as far as I understand to regular users anyway.
On the other hand, if Kuberclarity is deployed in a less secure way, this might allow access to more data then allowed or expected (beyond the limits of the KuberClarity database). The vulnerable line was introduced as part of the initial commit of Kubeclarity, so all versions up until the latest (2.23.1) are assumed vulnerable.

References

@ramizpolic ramizpolic published to openclarity/openclarity Jul 12, 2024
Published to the GitHub Advisory Database Jul 12, 2024
Reviewed Jul 12, 2024
Published by the National Vulnerability Database Jul 12, 2024
Last updated Sep 6, 2024

Severity

Moderate

EPSS score

0.045%
(17th percentile)

Weaknesses

CVE ID

CVE-2024-39909

GHSA ID

GHSA-5248-h45p-9pgw

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.