CVE-2024-39909
MEDIUMKubeClarity < 2.23.1 - SQL Injection via packageID Parameter
Title source: llmDescription
KubeClarity is a tool for detection and management of Software Bill Of Materials (SBOM) and vulnerabilities of container images and filesystems. A time/boolean SQL Injection is present in the following resource `/api/applicationResources` via the following parameter `packageID`. As it can be seen in backend/pkg/database/id_view.go, while building the SQL Query the `fmt.Sprintf` function is used to build the query string without the input having first been subjected to any validation. This vulnerability is fixed in 2.23.1.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/openclarity/kubeclarity/security/advisories/GHSA-5248-h45p-9pgw
Patch x_refsource_misc
https://github.com/openclarity/kubeclarity/commit/1d1178840703a72d9082b7fc4aea0a3326c5d294
Various Sources x_refsource_misc
https://github.com/openclarity/kubeclarity/blob/main/backend/pkg/database/id_view.go#L79
Scores
CVSS v3
6.5
EPSS
0.0044
EPSS Percentile
35.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-89
Status
published
Products (2)
openclarity/kubeclarity
0 - 0.0.0-20240711173334-1d1178840703Go
openclarity/kubeclarity
< 2.23.1
Published
Jul 12, 2024
Tracked Since
Feb 18, 2026