CVE-2024-45794: 
Linux openSUSE vulnerability analysis and mitigation

Devtron, an open source tool integration platform for Kubernetes, was found to contain a SQL injection vulnerability (CVE-2024-45794). The vulnerability was discovered in versions prior to 0.7.2, where an authenticated user with minimum permissions could exploit SQL injection via the CreateUser API (/orchestrator/user). The issue was disclosed on November 7, 2024, and has been addressed in version 0.7.2 (GitHub Advisory).

The vulnerability exists in the CreateUser API endpoint (/orchestrator/user) where user input is not properly sanitized. The SQL injection occurs in the dbConnection.Query function within the UserAuthRepository.go file. The CVSS v3.1 base score is 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating a serious security issue that requires low attack complexity and no user interaction (NVD).

The vulnerability allows authenticated attackers to execute malicious SQL queries through the CreateUser API. This could potentially lead to unauthorized access to sensitive database information, manipulation of database contents, and possible elevation of privileges within the application (GitHub Advisory).

Users are advised to upgrade to version 0.7.2 which contains the fix for this vulnerability. There are no known workarounds for this security issue (NVD).