Home > Vulnerability Database > CVE-2024-35181

Mend.io Vulnerability Database

CVE-2024-35181

Good to know:

Date: May 27, 2024

Meshery is an open source, cloud native manager that enables the design and management of Kubernetes-based infrastructure and applications. A SQL injection vulnerability in Meshery prior to version 0.7.22 may lead to arbitrary file write by using a SQL injection stacked queries payload, and the ATTACH DATABASE command. Additionally, attackers may be able to access and modify any data stored in the database, like performance profiles (which may contain session cookies), Meshery application data, or any Kubernetes configuration added to the system. The Meshery project exposes the function `GetMeshSyncResourcesKinds` at the API URL `/api/system/meshsync/resources/kinds`. The order query parameter is directly used to build a SQL query in `meshync_handler.go`. Version 0.7.22 fixes this issue.

Language: Go

Severity Score

5.9

Related Resources (11)

Url: https://github.com/meshery/meshery/pull/10280

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-35181

Url: https://github.com/meshery/meshery/pull/10207

Url: https://securitylab.github.com/advisories/GHSL-2024-013_GHSL-2024-014_Meshery

Url: https://github.com/advisories/GHSA-9f24-jrv4-f8g5

Url: https://github.com/meshery/meshery/commit/8e995ce21af02d32ef61689c1e1748a745917f13

Url: https://securitylab.github.com/advisories/GHSL-2024-013_GHSL-2024-014_Meshery/

Url: https://github.com/layer5io/meshery

Url: https://github.com/meshery/meshery/blob/b331f45c9083d7abf6b90105072b04cd22473de7/server/handlers/meshsync_handler.go#L187

Url: https://github.com/meshery/meshery/commit/b55f6064d0c6a965aee38f30281f99da7dc4420c

Url: https://www.mend.io/vulnerability-database/CVE-2024-35181

Severity Score

5.9

Weakness Type (CWE)

SQL Injection

CWE-89

Top Fix

Upgrade Version

Upgrade to version github.com/meshery/meshery-v0.7.22

Learn More

CVSS v3.1

Base Score:	5.9
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-35181

Good to know:

Date: May 27, 2024

Language: Go

Severity Score

Related Resources (11)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?