CVE-2024-35182
published 2024-05-27CVE-2024-35182: Meshery is an open source, cloud native manager that enables the design and management of Kubernetes-based infrastructure and applications. A SQL injection…
PriorityP354high8.1CVSS 3.1
AVNACLPRLUINSUCHIHAN
EPSS
1.55%
72.0th percentile
Meshery is an open source, cloud native manager that enables the design and management of Kubernetes-based infrastructure and applications. A SQL injection vulnerability in Meshery prior to version 0.7.22 may lead to arbitrary file write by using a SQL injection stacked queries payload, and the ATTACH DATABASE command. Additionally, attackers may be able to access and modify any data stored in the database, like performance profiles (which may contain session cookies), Meshery application data, or any Kubernetes configuration added to the system. The Meshery project exposes the function `GetAllEvents` at the API URL `/api/v2/events`. The sort query parameter read in `events_streamer.go` is directly used to build a SQL query in `events_persister.go`. Version 0.7.22 fixes this issue by using the `SanitizeOrderInput` function.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | layer5io_meshery | >= 0 < 0.7.22 | 0.7.22 |
| layer5 | meshery | < 0.7.22 | 0.7.22 |
| meshery | meshery | < 0.7.22 | 0.7.22 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Meshery SQL Injection vulnerability in github.com/layer5io/meshery
osv·2024-08-06
CVE-2024-35182 Meshery SQL Injection vulnerability in github.com/layer5io/meshery
Meshery SQL Injection vulnerability in github.com/layer5io/meshery
Meshery SQL Injection vulnerability in github.com/layer5io/meshery.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/layer5io/meshery before v0.7.22.
GHSA
Meshery SQL Injection vulnerability
ghsa·2024-08-05
CVE-2024-35182 [MEDIUM] CWE-89 Meshery SQL Injection vulnerability
Meshery SQL Injection vulnerability
Meshery is an open source, cloud native manager that enables the design and management of Kubernetes-based infrastructure and applications. A SQL injection vulnerability in Meshery prior to version 0.7.22 may lead to arbitrary file write by using a SQL injection stacked queries payload, and the ATTACH DATABASE command. Additionally, attackers may be able to access and modify any data stored in the database, like performance profiles (which may contain session cookies), Meshery application data, or any Kubernetes configuration added to the system. The Meshery project exposes the function `GetAllEvents` at the API URL `/api/v2/events`. The sort query parameter read in `events_streamer.go` is directly used to build a SQL query in `events_persister.go`. Ver
OSV
Meshery SQL Injection vulnerability
osv·2024-08-05
CVE-2024-35182 [MEDIUM] Meshery SQL Injection vulnerability
Meshery SQL Injection vulnerability
Meshery is an open source, cloud native manager that enables the design and management of Kubernetes-based infrastructure and applications. A SQL injection vulnerability in Meshery prior to version 0.7.22 may lead to arbitrary file write by using a SQL injection stacked queries payload, and the ATTACH DATABASE command. Additionally, attackers may be able to access and modify any data stored in the database, like performance profiles (which may contain session cookies), Meshery application data, or any Kubernetes configuration added to the system. The Meshery project exposes the function `GetAllEvents` at the API URL `/api/v2/events`. The sort query parameter read in `events_streamer.go` is directly used to build a SQL query in `events_persister.go`. Ver
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/meshery/meshery/blob/b331f45c9083d7abf6b90105072b04cd22473de7/server/handlers/events_streamer.go#L52https://github.com/meshery/meshery/blob/b331f45c9083d7abf6b90105072b04cd22473de7/server/models/events_persister.go#L47https://github.com/meshery/meshery/commit/b55f6064d0c6a965aee38f30281f99da7dc4420chttps://github.com/meshery/meshery/pull/10280https://securitylab.github.com/advisories/GHSL-2024-013_GHSL-2024-014_Meshery/https://github.com/meshery/meshery/blob/b331f45c9083d7abf6b90105072b04cd22473de7/server/handlers/events_streamer.go#L52https://github.com/meshery/meshery/blob/b331f45c9083d7abf6b90105072b04cd22473de7/server/models/events_persister.go#L47https://github.com/meshery/meshery/commit/b55f6064d0c6a965aee38f30281f99da7dc4420chttps://github.com/meshery/meshery/pull/10280https://securitylab.github.com/advisories/GHSL-2024-013_GHSL-2024-014_Meshery/
2024-05-27
Published