Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
In KubePlus 4.1.4, the mutating webhook and kubeconfiggenerator components have an SSRF vulnerability when processing the chartURL field of ResourceComposition resources. The field is only URL-encoded without validating the target address. More critically, when kubeconfiggenerator uses wget to download charts, the chartURL is directly concatenated into the command, allowing attackers to inject wget's `--header` option to achieve arbitrary HTTP header injection.
CVSS Information
N/A
Vulnerability Type
N/A
Vulnerability Title
KubePlus 安全漏洞
Vulnerability Description
KubePlus是cloud-ark开源的一个Kubernetes多租户应用管理平台。 KubePlus 4.1.4存在安全漏洞,该漏洞源于mutating webhook和kubeconfiggenerator组件处理chartURL字段时存在服务端请求伪造和命令注入。
CVSS Information
N/A
Vulnerability Type
N/A