CVE-2022-39383

Опубликовано: 16 нояб. 2022

Источник: nvd

CVSS3: 4.9

CVSS3: 6.5

EPSS Низкий

Описание

KubeVela is an open source application delivery platform. Users using the VelaUX APIServer could be affected by this vulnerability. When using Helm Chart as the component delivery method, the request address of the warehouse is not restricted, and there is a blind SSRF vulnerability. Users who're using v1.6, please update the v1.6.1. Users who're using v1.5, please update the v1.5.8. There are no known workarounds for this issue.

Ссылки

https://github.com/kubevela/kubevela/pull/5000
Patch
Third Party Advisory
https://github.com/kubevela/kubevela/security/advisories/GHSA-m5xf-x7q6-3rm7
Third Party Advisory
https://github.com/kubevela/kubevela/pull/5000
Patch
Third Party Advisory
https://github.com/kubevela/kubevela/security/advisories/GHSA-m5xf-x7q6-3rm7
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:linuxfoundation:kubevela:*:*:*:*:*:*:*:*

Версия до 1.5.9 (исключая)

cpe:2.3:a:linuxfoundation:kubevela:*:*:*:*:*:*:*:*

Версия от 1.6.0 (включая) до 1.6.2 (исключая)

EPSS

Процентиль: 42%

0.00196

Низкий

4.9 Medium

CVSS3

6.5 Medium

CVSS3

Дефекты

CWE-918

Связанные уязвимости

GHSA-m5xf-x7q6-3rm7

CVSS3: 4.9

github

около 3 лет назад

KubeVela VelaUX APIserver has SSRF vulnerability

EPSS

Процентиль: 42%

0.00196

Низкий

4.9 Medium

CVSS3

6.5 Medium

CVSS3

Дефекты

CWE-918