CVE-2024-39909
CVSS V2 None
CVSS V3 None
Description
KubeClarity is a tool for detection and management of Software Bill Of Materials (SBOM) and vulnerabilities of container images and filesystems. A time/boolean SQL Injection is present in the following resource `/api/applicationResources` via the following parameter `packageID`. As it can be seen in backend/pkg/database/id_view.go, while building the SQL Query the `fmt.Sprintf` function is used to build the query string without the input having first been subjected to any validation. This vulnerability is fixed in 2.23.1.
Overview
- CVE ID
- CVE-2024-39909
- Assigner
- GitHub_M
- Vulnerability Status
- PUBLISHED
- Published Version
- 2024-07-12T14:34:25.230Z
- Last Modified Date
- 2024-07-12T18:04:01.688Z
Weakness Enumerations
References
| Reference URL | Reference Tags |
|---|---|
| https://github.com/openclarity/kubeclarity/security/advisories/GHSA-5248-h45p-9pgw | x_refsource_CONFIRM |
| https://github.com/openclarity/kubeclarity/commit/1d1178840703a72d9082b7fc4aea0a3326c5d294 | x_refsource_MISC |
| https://github.com/openclarity/kubeclarity/blob/main/backend/pkg/database/id_view.go#L79 | x_refsource_MISC |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2024-39909 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39909 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2024-07-13 13:20:09 | Added to TrackCVE |