CVE-2022-36089

Name of the Vulnerable Software and Affected Versions KubeVela versions prior to 1.4.11 and 1.5.4

Description KubeVela is an application delivery platform that could be affected by an authentication bypass issue. The VelaUX APIServer uses the PlatformID as the signed key to generate JWT tokens for users. The getSystemInfo API exposes the platformID, allowing users to re-generate JWT tokens and bypass authentication.

Recommendations For versions prior to 1.4.11, update to version 1.4.11 or later. For versions prior to 1.5.4, update to version 1.5.4 or later. As a temporary workaround, consider restricting access to the getSystemInfo API to minimize the risk of exploitation.