Описание
KubeVela is an application delivery platform Users using KubeVela's VelaUX APIServer could be affected by an authentication bypass vulnerability. In KubeVela prior to versions 1.4.11 and 1.5.4, VelaUX APIServer uses the PlatformID as the signed key to generate the JWT tokens for users. Another API called getSystemInfo exposes the platformID. This vulnerability allows users to use the platformID to re-generate the JWT tokens to bypass the authentication. Versions 1.4.11 and 1.5.4 contain a patch for this issue.
Ссылки
- Third Party Advisory
- PatchThird Party Advisory
- Third Party Advisory
- PatchThird Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия от 1.4.0 (включая) до 1.4.11 (исключая)Версия от 1.5.0 (включая) до 1.5.3 (исключая)
Одно из
cpe:2.3:a:kubevela:kubevela:*:*:*:*:*:*:*:*
cpe:2.3:a:kubevela:kubevela:*:*:*:*:*:*:*:*
EPSS
Процентиль: 55%
0.00319
Низкий
8.2 High
CVSS3
9.8 Critical
CVSS3
Дефекты
CWE-294
EPSS
Процентиль: 55%
0.00319
Низкий
8.2 High
CVSS3
9.8 Critical
CVSS3
Дефекты
CWE-294