Lucene search

Veracode Vulnerability DatabaseVERACODE:47275

HistoryMay 30, 2024 - 10:40 a.m.

SQL Injection

2024-05-3010:40:21

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

meshery

sql injection

vulnerability

sort parameter

getallevents

stacked queries

attach database command

software

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N

AI Score

7.8

Confidence

Low

EPSS

Percentile

15.5%

JSON

Meshery is vulnerable to SQL Injection. The vulnerability is due to improper handling of the sort query parameter in the GetAllEvents function, allowing for SQL injection through stacked queries and the ATTACH DATABASE command.

References

github.com/meshery/meshery/blob/b331f45c9083d7abf6b90105072b04cd22473de7/server/handlers/events_streamer.go#L52

github.com/meshery/meshery/blob/b331f45c9083d7abf6b90105072b04cd22473de7/server/models/events_persister.go#L47

github.com/meshery/meshery/commit/b55f6064d0c6a965aee38f30281f99da7dc4420c

github.com/meshery/meshery/pull/10280

securitylab.github.com/advisories/GHSL-2024-013_GHSL-2024-014_Meshery/

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N

AI Score

7.8

Confidence

Low

EPSS

Percentile

15.5%

JSON

Related for VERACODE:47275