Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
The `/registercrd` endpoint in KubePlus 4.14 in the kubeconfiggenerator component is vulnerable to command injection. The component uses `subprocess.Popen()` with `shell=True` parameter to execute shell commands, and the user-supplied `chartName` parameter is directly concatenated into the command string without any sanitization or validation. An attacker can inject arbitrary shell commands by crafting a malicious `chartName` parameter value.
CVSS Information
N/A
Vulnerability Type
N/A
Vulnerability Title
KubePlus 安全漏洞
Vulnerability Description
KubePlus是cloud-ark开源的一个Kubernetes多租户应用管理平台。 KubePlus 4.14版本存在安全漏洞,该漏洞源于kubeconfiggenerator组件中/registercrd端点未对chartName参数进行清理或验证,可能导致命令注入攻击。
CVSS Information
N/A
Vulnerability Type
N/A