CVE-2024-45794: Devtron has SQL Injection in CreateUser API

November 7, 2024

An authenticated user (with minimum permission) could utilize and exploit SQL Injection to allow the execution of malicious SQL queries via CreateUser API (/orchestrator/user).

References

github.com/advisories/GHSA-q78v-cv36-8fxj
github.com/devtron-labs/devtron
github.com/devtron-labs/devtron/commit/1540271bd777b6bccd288e513a9070d8f04b6056
github.com/devtron-labs/devtron/security/advisories/GHSA-q78v-cv36-8fxj
nvd.nist.gov/vuln/detail/CVE-2024-45794

Detect and mitigate CVE-2024-45794 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →