Lucene search

GitHub Advisory DatabaseGHSA-652R-Q29P-M25H

HistoryAug 05, 2024 - 9:29 p.m.

Meshery SQL Injection vulnerability

2024-08-0521:29:24

CWE-89

GitHub Advisory Database

github.com

meshery

sql injection

vulnerability

remote attacker

sensitive information

getmeshsyncresources

patch

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.2

Confidence

Low

JSON

Meshery is an open source, cloud native manager that enables the design and management of Kubernetes-based infrastructure and applications. A SQL injection vulnerability in Meshery prior to version 0.7.17 allows a remote attacker to obtain sensitive information via the order parameter of GetMeshSyncResources. Version 0.7.17 contains a patch for this issue.

Affected configurations

Vulners

Node

layer5mesheryRange<0.7.17

VendorProductVersionCPE
layer5meshery*cpe:2.3:a:layer5:meshery:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
layer5	meshery	*	cpe:2.3:a:layer5:meshery::::::::

References

github.com/advisories/GHSA-652r-q29p-m25h

github.com/meshery/meshery/commit/8e995ce21af02d32ef61689c1e1748a745917f13

github.com/meshery/meshery/pull/10207

nvd.nist.gov/vuln/detail/CVE-2024-29031

securitylab.github.com/advisories/GHSL-2023-249_Meshery

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.2

Confidence

Low

JSON

Related for GHSA-652R-Q29P-M25H