Vulnerability Description
KubeClarity is a tool for detection and management of Software Bill Of Materials (SBOM) and vulnerabilities of container images and filesystems. A time/boolean SQL Injection is present in the following resource `/api/applicationResources` via the following parameter `packageID`. As it can be seen in backend/pkg/database/id_view.go, while building the SQL Query the `fmt.Sprintf` function is used to build the query string without the input having first been subjected to any validation. This vulnerability is fixed in 2.23.1.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://github.com/openclarity/kubeclarity/blob/main/backend/pkg/database/id_vie
- https://github.com/openclarity/kubeclarity/commit/1d1178840703a72d9082b7fc4aea0a
- https://github.com/openclarity/kubeclarity/security/advisories/GHSA-5248-h45p-9p
- https://github.com/openclarity/kubeclarity/blob/main/backend/pkg/database/id_vie
- https://github.com/openclarity/kubeclarity/commit/1d1178840703a72d9082b7fc4aea0a
- https://github.com/openclarity/kubeclarity/security/advisories/GHSA-5248-h45p-9p
FAQ
What is CVE-2024-39909?
CVE-2024-39909 is a vulnerability with a CVSS score of 6.5 (MEDIUM). KubeClarity is a tool for detection and management of Software Bill Of Materials (SBOM) and vulnerabilities of container images and filesystems. A time/boolean SQL Injection is present in the followin...
How severe is CVE-2024-39909?
CVE-2024-39909 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-39909?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.