SQL Injection in the KubeClarity REST API
Moderate severity
GitHub Reviewed
Published
Jul 12, 2024
in
openclarity/openclarity
•
Updated Sep 6, 2024
Package
Affected versions
< 0.0.0-20240711173334-1d1178840703
Patched versions
0.0.0-20240711173334-1d1178840703
Description
Published to the GitHub Advisory Database
Jul 12, 2024
Reviewed
Jul 12, 2024
Published by the National Vulnerability Database
Jul 12, 2024
Last updated
Sep 6, 2024
Credits
-
b-abderrahmane Reporter
Summary
A time/boolean SQL Injection is present in the following resource
/api/applicationResourcesvia the following parameterpackageIDDetails
As it can be seen here, while building the SQL Query the
fmt.Sprintffunction is used to build the query string without the input having first been subjected to any validation.PoC
The following command should be able to trigger a basic version of the behavior:
curl -i -s -k -X $'GET' \ -H $'Host: kubeclarity.test' \ $'https://kubeclarity.test/api/applicationResources?page=1&pageSize=50&sortKey=vulnerabilities&sortDir=DESC&packageID=c89973a6-4e7f-50b5-afe2-6bf6f4d3da0a\'HTTP/2'Impact
While using the Helm chart, the impact of this vulnerability is limited since it allows read access only to the kuberclarity database, to which access is already given as far as I understand to regular users anyway.
On the other hand, if Kuberclarity is deployed in a less secure way, this might allow access to more data then allowed or expected (beyond the limits of the KuberClarity database). The vulnerable line was introduced as part of the initial commit of Kubeclarity, so all versions up until the latest (2.23.1) are assumed vulnerable.
References