CVE-2022-39383 – github.com/oam-dev/kubevela

Package

Manager: go
Name: github.com/oam-dev/kubevela
Vulnerable Version: >=1.6.0-alpha.1 <1.6.2 || >=0 <1.5.9

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00078 pctl0.23967

Details

KubeVela VelaUX APIserver has SSRF vulnerability ### Impact Users using the VelaUX APIServer could be affected by this vulnerability. When using Helm Chart as the component delivery method, the request address of the warehouse is not restricted, and there is a blind SSRF vulnerability. This issue is patched in 1.5.9 and 1.6.2. ### References Fix by: #5000 ### For more information If you have any questions or comments about this advisory: * Open an issue in [KubeVela repo](https://github.com/kubevela/kubevela) * Email us at [here](https://github.com/kubevela/kubevela#contact-us)

Metadata

Created: 2022-11-18T17:14:39Z
Modified: 2023-08-29T22:52:24Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-m5xf-x7q6-3rm7/GHSA-m5xf-x7q6-3rm7.json
CWE IDs: ["CWE-918"]
Alternative ID: GHSA-m5xf-x7q6-3rm7
Finding: F100
Auto approve: 1