6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-39909

GHSA ID

GHSA-5248-h45p-9pgw

EPSS Score

0.33796%

CWE

CWE-89

Published

7/12/2024

Updated

11/18/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-39909

CVE-2024-39909: SQL Injection in the KubeClarity REST API

Summary

A time/boolean SQL Injection is present in the following resource /api/applicationResources via the following parameter packageID

Details

As it can be seen here, while building the SQL Query the fmt.Sprintf function is used to build the query string without the input having first been subjected to any validation.

PoC

The following command should be able to trigger a basic version of the behavior: curl -i -s -k -X $'GET' \ -H $'Host: kubeclarity.test' \ $'https://kubeclarity.test/api/applicationResources?page=1&pageSize=50&sortKey=vulnerabilities&sortDir=DESC&packageID=c89973a6-4e7f-50b5-afe2-6bf6f4d3da0a\'HTTP/2'

Impact

While using the Helm chart, the impact of this vulnerability is limited since it allows read access only to the kuberclarity database, to which access is already given as far as I understand to regular users anyway. On the other hand, if Kuberclarity is deployed in a less secure way, this might allow access to more data then allowed or expected (beyond the limits of the KuberClarity database). The vulnerable line was introduced as part of the initial commit of Kubeclarity, so all versions up until the latest (2.23.1) are assumed vulnerable.

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-39909

GHSA ID

GHSA-5248-h45p-9pgw

EPSS Score

0.33796%

CWE

CWE-89

Published

7/12/2024

Updated

11/18/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/openclarity/kubeclarity/backend	go	< 0.0.0-20240711173334-1d1178840703	0.0.0-20240711173334-1d1178840703

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the use of fmt.Sprintf in line 79 of id_view.go to build SQL queries. The original code concatenated user-supplied values (params.FilterIDs) directly into the query string via string formatting, creating a classic SQL injection vector. The patch replaced this with parameterized placeholders (? = ?), confirming the vulnerability was caused by unsafe string interpolation in this function. The function's role in processing filter parameters for database queries directly aligns with the described attack vector via the packageID parameter.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry * tim*/*ool**n SQL Inj**tion is pr*s*nt in t** *ollowin* r*sour** `/*pi/*ppli**tionR*sour**s` vi* t** *ollowin* p*r*m*t*r `p**k***I*` ### **t*ils *s it **n ** s**n [**r*](*ttps://*it*u*.*om/op*n*l*rity/ku***l*rity/*lo*/m*in/***k*n*/pk*/*

Reasoning

T** vuln*r**ility st*ms *rom t** us* o* `*mt.Sprint*` in lin* ** o* `i*_vi*w.*o` to *uil* SQL qu*ri*s. T** ori*in*l *o** *on**t*n*t** us*r-suppli** v*lu*s (`p*r*ms.*ilt*rI*s`) *ir**tly into t** qu*ry strin* vi* strin* *orm*ttin*, *r**tin* * *l*ssi* S

6.5

Basic Information

Concerned about an active attack path?

CVE-2024-39909: SQL Injection in the KubeClarity REST API

Summary

Details

PoC

Impact

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI