CVE-2022-39383
CVSS V2 None
CVSS V3 Medium 6.5
Description
KubeVela is an open source application delivery platform. Users using the VelaUX APIServer could be affected by this vulnerability. When using Helm Chart as the component delivery method, the request address of the warehouse is not restricted, and there is a blind SSRF vulnerability. Users who're using v1.6, please update the v1.6.1. Users who're using v1.5, please update the v1.5.8. There are no known workarounds for this issue.
Overview
- CVE ID
- CVE-2022-39383
- Assigner
- security-advisories@github.com
- Vulnerability Status
- Analyzed
- Published Version
- 2022-11-16T20:15:10
- Last Modified Date
- 2022-11-18T21:37:13
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:a:linuxfoundation:kubevela:*:*:*:*:*:*:*:* | 1 | OR | 1.5.9 | |
| cpe:2.3:a:linuxfoundation:kubevela:*:*:*:*:*:*:*:* | 1 | OR | 1.6.0 | 1.6.2 |
CVSS Version 3
- Version
- 3.1
- Vector String
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- Attack Vector
- NETWORK
- Attack Compatibility
- LOW
- Privileges Required
- LOW
- User Interaction
- NONE
- Scope
- UNCHANGED
- Confidentiality Impact
- HIGH
- Availability Impact
- NONE
- Base Score
- 6.5
- Base Severity
- MEDIUM
- Exploitability Score
- 2.8
- Impact Score
- 3.6
References
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2022-39383 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39383 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2022-11-16 21:00:11 | Added to TrackCVE | |||
| 2022-12-07 17:49:46 | 2022-11-16T20:15Z | 2022-11-16T20:15:10 | CVE Published Date | updated |
| 2022-12-07 17:49:46 | 2022-11-18T21:37:13 | CVE Modified Date | updated | |
| 2022-12-07 17:49:46 | Analyzed | Vulnerability Status | updated | |
| 2022-12-07 17:49:48 | CPE Information | updated |