← back
CVE-2024-45794

SQL Injection in CreateUser API in devtron

CVSS 8.3 HIGHEPSS 0.7%CWE-89
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 8.3EPSS 0.7%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
07 Nov 2024Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
devtron is an open source tool integration platform for Kubernetes. In affected versions an authenticated user (with minimum permission) could utilize and exploit SQL Injection to allow the execution of malicious SQL queries via CreateUser API (/orchestrator/user). This issue has been addressed in version 0.7.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Affected products
devtron-labs · devtron

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/devtron-labs/devtron/security/advisories/GHSA-q78v-cv36-8fxj