Lucene search
K
Layer5Meshery

6 matches found

CVE
CVE
added 2024/05/27 6:18 p.m.110 views

CVE-2024-35182

Meshesry (Meshery) has a SQL injection vulnerability in the GetAllEvents path under /api/v2/events due to unsanitized sort query handling in events_streamer.go, allowing stacked queries and ATTACH DATABASE usage to write arbitrary files and access/modify database-stored data (e.g., performance pr...

8.1CVSS5.9AI score0.01552EPSS
Web
CVE
CVE
added 2021/04/28 5:14 a.m.109 views

CVE-2021-31856

Layer5 Meshery 0.5.2 contains a SQL injection in the REST API exposed via the /api/experimental/patternfile (also described as /experimental/patternfiles) endpoint. The vulnerability stems from the GetMesheryPatterns function, where the order parameter from user input is directly concatenated int...

9.8CVSS9.9AI score0.75384EPSS
Web
CVE
CVE
added 2024/05/27 6:18 p.m.97 views

CVE-2024-35181

Summary: Meshery contains a SQL injection vulnerability affecting versions prior to 0.7.22. The flaw arises in the GetMeshSyncResourcesKinds API (GET /api/system/meshsync/resources/kinds) where the order query parameter is directly used to build a SQL query in meshync_handler.go, enabling stacked...

8.1CVSS5.9AI score0.01596EPSS
Web
CVE
CVE
added 2024/03/21 10:16 p.m.73 views

CVE-2024-29031

CVE-2024-29031 documents a SQL injection in Meshery (github.com/layer5io/meshery) affecting GetMeshSyncResources via the order parameter, prior to version 0.7.17. The root cause is improper input handling that could disclose sensitive information. The issue is mitigated by upgrading to version 0....

7.5CVSS7.5AI score0.00951EPSS
CVE
CVE
added 2023/11/24 12:0 a.m.53 views

CVE-2023-46575

Summary: CVE-2023-46575 is a SQL injection vulnerability in Meshery prior to v0.6.179. The flaw allows a remote attacker to retrieve sensitive data and execute arbitrary code via the “order” parameter. The base data sources confirm an exploitable vulnerability with critical impact (C/H/I/A) and n...

9.8CVSS9.6AI score0.01276EPSS
CVE
CVE
added 2024/07/24 12:0 a.m.45 views

CVE-2024-36535

CVE-2024-36535 affects meshery v0.7.51 and earlier, with insecure permissions that allow an attacker to access the service account token, enabling data access and privilege escalation. Multiple sources (Red Hat, Veracode, OSV, NVD, CNNVD, CVE list, PT-2024-27055) corroborate this description. The...

9.8CVSS7.1AI score0.00476EPSS