[github.com/oam-dev/kubevela] List helm chart endpoint of VelaUX APIserver has SSRF vulnerability

Impact

Users using the VelaUX APIServer could be affected by this vulnerability.

When using Helm Chart as the component delivery method, the request address of the warehouse is not restricted, and there is a blind SSRF vulnerability.

Patches

For users who’re using v1.6, please update the v1.6.1.
For users who’re using v1.5, please update the v1.5.8.

References

Fix by: #5000

For more information

If you have any questions or comments about this advisory:

• Open an issue in KubeVela repo
• Email us at here

References

• https://github.com/kubevela/kubevela/security/advisories/GHSA-m5xf-x7q6-3rm7
• https://nvd.nist.gov/vuln/detail/CVE-2022-39383
• https://github.com/kubevela/kubevela/pull/5000
• https://github.com/advisories/GHSA-m5xf-x7q6-3rm7