CVE-2022-39383 MEDIUM

CVE-2022-39383: SSRF vulnerability in KubeVela VelaUX APIServer

Vendor Kubevela
Product kubevela
Weakness CWE-918 · SSRF
Published November 16, 2022
Last update April 23, 2025

CVSS base score

4.9/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

KubeVela is an open source application delivery platform. Users using the VelaUX APIServer could be affected by this vulnerability. When using Helm Chart as the component delivery method, the request address of the warehouse is not restricted, and there is a blind SSRF vulnerability. Users who're using v1.6, please update the v1.6.1. Users who're using v1.5, please update the v1.5.8. There are no known workarounds for this issue.

Key dates

02Disclosure timeline

November 16, 2022 CVE published
April 23, 2025 Record updated