CVE-2024-35181 — MEDIUM (5.9)

Q: How severe is CVE-2024-35181?

CVE-2024-35181 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2024-35181?

Check the references section above for vendor advisories and patch information. Affected products include: Layer5 Meshery.

Vulnerability Description

Meshery is an open source, cloud native manager that enables the design and management of Kubernetes-based infrastructure and applications. A SQL injection vulnerability in Meshery prior to version 0.7.22 may lead to arbitrary file write by using a SQL injection stacked queries payload, and the ATTACH DATABASE command. Additionally, attackers may be able to access and modify any data stored in the database, like performance profiles (which may contain session cookies), Meshery application data, or any Kubernetes configuration added to the system. The Meshery project exposes the function `GetMeshSyncResourcesKinds` at the API URL `/api/system/meshsync/resources/kinds`. The order query parameter is directly used to build a SQL query in `meshync_handler.go`. Version 0.7.22 fixes this issue.

CVSS Score

5.9

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Layer5	Meshery	< 0.7.22

Related Weaknesses (CWE)

CWE-89

References

https://github.com/meshery/meshery/blob/b331f45c9083d7abf6b90105072b04cd22473de7Product
https://github.com/meshery/meshery/commit/8e995ce21af02d32ef61689c1e1748a745917fPatch
https://github.com/meshery/meshery/commit/b55f6064d0c6a965aee38f30281f99da7dc442Patch
https://github.com/meshery/meshery/pull/10207Issue TrackingPatch
https://github.com/meshery/meshery/pull/10280Issue TrackingPatch
https://securitylab.github.com/advisories/GHSL-2024-013_GHSL-2024-014_Meshery/ExploitThird Party Advisory
https://github.com/meshery/meshery/blob/b331f45c9083d7abf6b90105072b04cd22473de7Product
https://github.com/meshery/meshery/commit/8e995ce21af02d32ef61689c1e1748a745917fPatch
https://github.com/meshery/meshery/commit/b55f6064d0c6a965aee38f30281f99da7dc442Patch
https://github.com/meshery/meshery/pull/10207Issue TrackingPatch
https://github.com/meshery/meshery/pull/10280Issue TrackingPatch
https://securitylab.github.com/advisories/GHSL-2024-013_GHSL-2024-014_Meshery/ExploitThird Party Advisory

FAQ

What is CVE-2024-35181?

CVE-2024-35181 is a vulnerability with a CVSS score of 5.9 (MEDIUM). Meshery is an open source, cloud native manager that enables the design and management of Kubernetes-based infrastructure and applications. A SQL injection vulnerability in Meshery prior to version 0....

How severe is CVE-2024-35181?

CVE-2024-35181 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-35181?

Check the references section above for vendor advisories and patch information. Affected products include: Layer5 Meshery.