CVE-2024-45794

Name of the Vulnerable Software and Affected Versions: Devtron versions prior to 0.7.2

Description: Devtron is an open source tool integration platform for Kubernetes. An authenticated user with minimum permission could utilize and exploit SQL Injection to allow the execution of malicious SQL queries via the CreateUser API (/orchestrator/user). The SQL injection can happen in the code where the userInfo parameter can be controlled by users, allowing the creation and execution of malicious SQL queries. The user should be authenticated but only needs minimum permissions.

Recommendations: For Devtron versions prior to 0.7.2, update to version 0.7.2 to address this issue promptly. As a temporary workaround, consider restricting access to the CreateUser API (/orchestrator/user) until the update is applied. Avoid using the userInfo parameter in the affected API endpoint until the issue is resolved.