Description

KubeClarity is a tool for detection and management of Software Bill Of Materials (SBOM) and vulnerabilities of container images and filesystems. A time/boolean SQL Injection is present in the following resource `/api/applicationResources` via the following parameter `packageID`. As it can be seen in backend/pkg/database/id_view.go, while building the SQL Query the `fmt.Sprintf` function is used to build the query string without the input having first been subjected to any validation. This vulnerability is fixed in 2.23.1.

INFO

Published Date :

2024-07-12T14:34:25.230Z

Last Modified :

2024-08-02T04:33:11.579Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-39909 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-39909.

URL Resource
https://github.com/openclarity/kubeclarity/blob/main/backend/pkg/database/id_view.go#L79 cve-icon cve-icon cve-icon
https://github.com/openclarity/kubeclarity/commit/1d1178840703a72d9082b7fc4aea0a3326c5d294 cve-icon cve-icon cve-icon
https://github.com/openclarity/kubeclarity/security/advisories/GHSA-5248-h45p-9pgw cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact