{"id":"GHSA-m5xf-x7q6-3rm7","summary":"KubeVela VelaUX APIserver has SSRF vulnerability ","details":"### Impact\nUsers using the VelaUX APIServer could be affected by this vulnerability.\n\nWhen using Helm Chart as the component delivery method, the request address of the warehouse is not restricted, and there is a blind SSRF vulnerability.\n\nThis issue is patched in 1.5.9 and 1.6.2.\n\n### References\nFix by: #5000 \n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [KubeVela repo](https://github.com/kubevela/kubevela)\n* Email us at [here](https://github.com/kubevela/kubevela#contact-us)\n","aliases":["CVE-2022-39383","GO-2022-1113"],"modified":"2026-02-04T02:46:30.456547Z","published":"2022-11-18T17:14:39Z","related":["CGA-r59f-cj6h-534p"],"database_specific":{"github_reviewed":true,"github_reviewed_at":"2022-11-18T17:14:39Z","nvd_published_at":"2022-11-16T20:15:00Z","cwe_ids":["CWE-918"],"severity":"MODERATE"},"references":[{"type":"WEB","url":"https://github.com/kubevela/kubevela/security/advisories/GHSA-m5xf-x7q6-3rm7"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-39383"},{"type":"WEB","url":"https://github.com/kubevela/kubevela/pull/5000"},{"type":"PACKAGE","url":"https://github.com/kubevela/kubevela"},{"type":"WEB","url":"https://pkg.go.dev/vuln/GO-2022-1113"}],"affected":[{"package":{"name":"github.com/oam-dev/kubevela","ecosystem":"Go","purl":"pkg:golang/github.com/oam-dev/kubevela"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.6.0-alpha.1"},{"fixed":"1.6.2"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-m5xf-x7q6-3rm7/GHSA-m5xf-x7q6-3rm7.json"}},{"package":{"name":"github.com/oam-dev/kubevela","ecosystem":"Go","purl":"pkg:golang/github.com/oam-dev/kubevela"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.5.9"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-m5xf-x7q6-3rm7/GHSA-m5xf-x7q6-3rm7.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N"}]}