Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
VelaUX APIServer vulnerable to Authentication Bypass by Capture-replay
Vulnerability Description
KubeVela is an application delivery platform Users using KubeVela's VelaUX APIServer could be affected by an authentication bypass vulnerability. In KubeVela prior to versions 1.4.11 and 1.5.4, VelaUX APIServer uses the `PlatformID` as the signed key to generate the JWT tokens for users. Another API called `getSystemInfo` exposes the platformID. This vulnerability allows users to use the platformID to re-generate the JWT tokens to bypass the authentication. Versions 1.4.11 and 1.5.4 contain a patch for this issue.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Vulnerability Type
使用捕获-重放进行的认证绕过
Vulnerability Title
KubeVela 安全漏洞
Vulnerability Description
KubeVela是KubeVela开源的一个现代应用程序交付平台。 KubeVela 1.4.11和1.5.4之前的版本存在安全漏洞,该漏洞源于其VelaUX APIServer使用PlatformID作为签名密钥为用户生成JWT令牌。另一个名为“getSystemInfo”的API暴露了platformID。这个操作允许用户使用platformID重新生成JWT令牌,从而绕过身份验证。
CVSS Information
N/A
Vulnerability Type
N/A