From 63ef5aae61a6e2de2c60b89f18ec124ddd6cb6d3 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Wed, 16 Nov 2022 19:32:26 +0000 Subject: [PATCH] Add CVE-2022-39383 for GHSA-m5xf-x7q6-3rm7 Add CVE-2022-39383 for GHSA-m5xf-x7q6-3rm7 --- 2022/39xxx/CVE-2022-39383.json | 85 +++++++++++++++++++++++++++++++--- 1 file changed, 79 insertions(+), 6 deletions(-) diff --git a/2022/39xxx/CVE-2022-39383.json b/2022/39xxx/CVE-2022-39383.json index a8eec8f5682..5e07ac5bb2c 100644 --- a/2022/39xxx/CVE-2022-39383.json +++ b/2022/39xxx/CVE-2022-39383.json @@ -1,18 +1,91 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-39383", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "SSRF vulnerability in KubeVela VelaUX APIServer" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "kubevela", + "version": { + "version_data": [ + { + "version_value": ">= 1.6.0, < 1.6.1" + }, + { + "version_value": "< 1.5.9" + } + ] + } + } + ] + }, + "vendor_name": "kubevela" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "KubeVela is an open source application delivery platform. Users using the VelaUX APIServer could be affected by this vulnerability. When using Helm Chart as the component delivery method, the request address of the warehouse is not restricted, and there is a blind SSRF vulnerability. Users who're using v1.6, please update the v1.6.1. Users who're using v1.5, please update the v1.5.8. There are no known workarounds for this issue." } ] + }, + "impact": { + "cvss": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 4.9, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-918: Server-Side Request Forgery (SSRF)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/kubevela/kubevela/security/advisories/GHSA-m5xf-x7q6-3rm7", + "refsource": "CONFIRM", + "url": "https://github.com/kubevela/kubevela/security/advisories/GHSA-m5xf-x7q6-3rm7" + }, + { + "name": "https://github.com/kubevela/kubevela/pull/5000", + "refsource": "MISC", + "url": "https://github.com/kubevela/kubevela/pull/5000" + } + ] + }, + "source": { + "advisory": "GHSA-m5xf-x7q6-3rm7", + "discovery": "UNKNOWN" } } \ No newline at end of file