Miggo Logo

CVE-2024-39909: SQL Injection in the KubeClarity REST API

6.5

CVSS Score
3.1

Basic Information

EPSS Score
0.33796%
Published
7/12/2024
Updated
11/18/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/openclarity/kubeclarity/backendgo< 0.0.0-20240711173334-1d11788407030.0.0-20240711173334-1d1178840703

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the use of fmt.Sprintf in line 79 of id_view.go to build SQL queries. The original code concatenated user-supplied values (params.FilterIDs) directly into the query string via string formatting, creating a classic SQL injection vector. The patch replaced this with parameterized placeholders (? = ?), confirming the vulnerability was caused by unsafe string interpolation in this function. The function's role in processing filter parameters for database queries directly aligns with the described attack vector via the packageID parameter.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry * tim*/*ool**n SQL Inj**tion is pr*s*nt in t** *ollowin* r*sour** `/*pi/*ppli**tionR*sour**s` vi* t** *ollowin* p*r*m*t*r `p**k***I*` ### **t*ils *s it **n ** s**n [**r*](*ttps://*it*u*.*om/op*n*l*rity/ku***l*rity/*lo*/m*in/***k*n*/pk*/*

Reasoning

T** vuln*r**ility st*ms *rom t** us* o* `*mt.Sprint*` in lin* ** o* `i*_vi*w.*o` to *uil* SQL qu*ri*s. T** ori*in*l *o** *on**t*n*t** us*r-suppli** v*lu*s (`p*r*ms.*ilt*rI*s`) *ir**tly into t** qu*ry strin* vi* strin* *orm*ttin*, *r**tin* * *l*ssi* S
CVE-2024-39909: KubeClarity API SQL Injection | Miggo