CVE-2022-39383

Published: Nov 16, 2022Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

KubeVela is an open source application delivery platform. Users using the VelaUX APIServer could be affected by this vulnerability. When using Helm Chart as the component delivery method, the request address of the warehouse is not restricted, and there is a blind SSRF vulnerability. Users who're using v1.6, please update the v1.6.1. Users who're using v1.5, please update the v1.5.8. There are no known workarounds for this issue.

Affected (2)

Products: Linuxfoundation: Kubevela

Linuxfoundation

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Linuxfoundation Kubevela	Before 1.5.9
Linuxfoundation Kubevela	From 1.6.0 to 1.6.2

Related CWEs

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (4)

https://github.com/kubevela/kubevela/pull/5000

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/kubevela/kubevela/security/advisories/GHSA-m5xf-x7q6-3rm7

Source: security-advisories@github.com

Third Party Advisory

https://github.com/kubevela/kubevela/pull/5000

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/kubevela/kubevela/security/advisories/GHSA-m5xf-x7q6-3rm7

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.