Home > Vulnerability Database > CVE-2022-36089

Mend.io Vulnerability Database

CVE-2022-36089

Good to know:

Date: September 7, 2022

KubeVela is an application delivery platform Users using KubeVela's VelaUX APIServer could be affected by an authentication bypass vulnerability. In KubeVela prior to versions 1.4.11 and 1.5.4, VelaUX APIServer uses the `PlatformID` as the signed key to generate the JWT tokens for users. Another API called `getSystemInfo` exposes the platformID. This vulnerability allows users to use the platformID to re-generate the JWT tokens to bypass the authentication. Versions 1.4.11 and 1.5.4 contain a patch for this issue.

Language: Go

Severity Score

8.2

Related Resources (4)

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-36089

Url: https://github.com/kubevela/kubevela/security/advisories/GHSA-cq42-w295-r29q

Url: https://github.com/kubevela/kubevela/pull/4634

Url: https://www.mend.io/vulnerability-database/CVE-2022-36089

Severity Score

8.2

Weakness Type (CWE)

Authentication Bypass by Capture-replay

CWE-294

Top Fix

Upgrade Version

Upgrade to version v1.4.11,v1.5.3

Learn More

CVSS v3.1

Base Score:	8.2
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2022-36089

Good to know:

Date: September 7, 2022

Language: Go

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?