CVE-2024-39909

Name of the Vulnerable Software and Affected Versions KubeClarity versions prior to 2.23.1

Description A time/boolean SQL Injection is present in the /api/applicationResources resource via the packageID parameter. The vulnerability occurs because the fmt.Sprintf function is used to build the SQL query string without validating the input. This issue is limited to read access to the KubeClarity database when using the Helm chart, but it may allow access to more data than expected if KubeClarity is deployed in a less secure way.

Recommendations For versions prior to 2.23.1, update to version 2.23.1 to resolve the issue. As a temporary workaround, consider restricting access to the /api/applicationResources endpoint or validating the packageID parameter to minimize the risk of exploitation.