6 matches found
CVE-2021-31856
Layer5 Meshery 0.5.2 contains a SQL injection in the REST API exposed via the /api/experimental/patternfile (also described as /experimental/patternfiles) endpoint. The vulnerability stems from the GetMesheryPatterns function, where the order parameter from user input is directly concatenated int...
CVE-2024-35182
Meshesry (Meshery) has a SQL injection vulnerability in the GetAllEvents path under /api/v2/events due to unsanitized sort query handling in events_streamer.go, allowing stacked queries and ATTACH DATABASE usage to write arbitrary files and access/modify database-stored data (e.g., performance pr...
CVE-2024-35181
Summary: Meshery contains a SQL injection vulnerability affecting versions prior to 0.7.22. The flaw arises in the GetMeshSyncResourcesKinds API (GET /api/system/meshsync/resources/kinds) where the order query parameter is directly used to build a SQL query in meshync_handler.go, enabling stacked...
CVE-2024-29031
CVE-2024-29031 documents a SQL injection in Meshery (github.com/layer5io/meshery) affecting GetMeshSyncResources via the order parameter, prior to version 0.7.17. The root cause is improper input handling that could disclose sensitive information. The issue is mitigated by upgrading to version 0....
CVE-2023-46575
Summary: CVE-2023-46575 is a SQL injection vulnerability in Meshery prior to v0.6.179. The flaw allows a remote attacker to retrieve sensitive data and execute arbitrary code via the “order” parameter. The base data sources confirm an exploitable vulnerability with critical impact (C/H/I/A) and n...
CVE-2024-36535
CVE-2024-36535 affects meshery v0.7.51 and earlier, with insecure permissions that allow an attacker to access the service account token, enabling data access and privilege escalation. Multiple sources (Red Hat, Veracode, OSV, NVD, CNNVD, CVE list, PT-2024-27055) corroborate this description. The...