Home > Vulnerability Database > CVE-2024-39909

Mend.io Vulnerability Database

CVE-2024-39909

Good to know:

Date: July 12, 2024

KubeClarity is a tool for detection and management of Software Bill Of Materials (SBOM) and vulnerabilities of container images and filesystems. A time/boolean SQL Injection is present in the following resource "/api/applicationResources" via the following parameter "packageID". As it can be seen in backend/pkg/database/id_view.go, while building the SQL Query the "fmt.Sprintf" function is used to build the query string without the input having first been subjected to any validation. This vulnerability is fixed in 2.23.1.

Language: Go

Severity Score

6.5

Related Resources (6)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-39909

Url: https://github.com/openclarity/kubeclarity

Url: https://github.com/openclarity/kubeclarity/security/advisories/GHSA-5248-h45p-9pgw

Url: https://github.com/openclarity/kubeclarity/blob/main/backend/pkg/database/id_view.go#L79

Url: https://github.com/openclarity/kubeclarity/commit/1d1178840703a72d9082b7fc4aea0a3326c5d294

Url: https://www.mend.io/vulnerability-database/CVE-2024-39909

Severity Score

6.5

Weakness Type (CWE)

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-89

Top Fix

Upgrade Version

Upgrade to version github.com/openclarity/kubeclarity/backend - v0.0.0-20240711173334-1d1178840703

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-39909

Good to know:

Date: July 12, 2024

Language: Go

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?