Lucene search

GitHub_MVULNRICHMENT:CVE-2024-29031

HistoryMar 21, 2024 - 10:16 p.m.

CVE-2024-29031 Meshery SQL Injection vulnerability

2024-03-2122:16:03

CWE-89

GitHub_M

github.com

meshery

sql injection

getmeshsyncresources

v0.7.17

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.5

Confidence

Low

SSVC

Exploitation

poc

Automatable

yes

Technical Impact

partial

JSON

Meshery is an open source, cloud native manager that enables the design and management of Kubernetes-based infrastructure and applications. A SQL injection vulnerability in Meshery prior to version 0.7.17 allows a remote attacker to obtain sensitive information via the order parameter of GetMeshSyncResources. Version 0.7.17 contains a patch for this issue.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:layer5:meshery:*:*:*:*:*:*:*:*"
    ],
    "vendor": "layer5",
    "product": "meshery",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "7.1.7",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unknown"
  }
]

References

github.com/meshery/meshery/commit/8e995ce21af02d32ef61689c1e1748a745917f13

github.com/meshery/meshery/pull/10207

securitylab.github.com/advisories/GHSL-2023-249_Meshery/

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.5

Confidence

Low

SSVC

Exploitation

poc

Automatable

yes

Technical Impact

partial

JSON

Related for VULNRICHMENT:CVE-2024-29031