SQL Injection Affecting github.com/openclarity/kubeclarity/backend/pkg/database package, versions <2.23.2
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMOPENCLARITYKUBECLARITYBACKENDPKGDATABASE-7448452
- published 14 Jul 2024
- disclosed 12 Jul 2024
- credit b-abderrahmane
Introduced: 12 Jul 2024
CVE-2024-39909 Open this link in a new tabHow to fix?
Upgrade github.com/openclarity/kubeclarity/backend/pkg/database to version 2.23.2 or higher.
Overview
github.com/openclarity/kubeclarity/backend/pkg/database is a tool for detection and management of Software Bill Of Materials (SBOM) and vulnerabilities of container images and filesystems
Affected versions of this package are vulnerable to SQL Injection via the /api/applicationResources endpoint's packageID parameter, which is passed to fmt.Sprintf() in id_view.go without sanitization. This exposes the internal database to a user in a way that is only vulnerable when the application is not deployed via helm. Under a helm deployment, the user already has access to the database.
PoC
curl -i -s -k -X $'GET' \ -H $'Host: kubeclarity.test' \ $'https://kubeclarity.test/api/applicationResources?page=1&pageSize=50&sortKey=vulnerabilities&sortDir=DESC&packageID=c89973a6-4e7f-50b5-afe2-6bf6f4d3da0a\'HTTP/2'