CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N
AI Score
Confidence
Low
EPSS
Percentile
15.5%
Meshery is vulnerable to SQL Injection. The vulnerability is due to improper handling of the sort query parameter in the GetAllEvents function, allowing for SQL injection through stacked queries and the ATTACH DATABASE command.
github.com/meshery/meshery/blob/b331f45c9083d7abf6b90105072b04cd22473de7/server/handlers/events_streamer.go#L52
github.com/meshery/meshery/blob/b331f45c9083d7abf6b90105072b04cd22473de7/server/models/events_persister.go#L47
github.com/meshery/meshery/commit/b55f6064d0c6a965aee38f30281f99da7dc4420c
github.com/meshery/meshery/pull/10280
securitylab.github.com/advisories/GHSL-2024-013_GHSL-2024-014_Meshery/