CVE-2024-35182 — MEDIUM (5.9)

Q: How severe is CVE-2024-35182?

CVE-2024-35182 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2024-35182?

Check the references section above for vendor advisories and patch information. Affected products include: Layer5 Meshery.

Vulnerability Description

Meshery is an open source, cloud native manager that enables the design and management of Kubernetes-based infrastructure and applications. A SQL injection vulnerability in Meshery prior to version 0.7.22 may lead to arbitrary file write by using a SQL injection stacked queries payload, and the ATTACH DATABASE command. Additionally, attackers may be able to access and modify any data stored in the database, like performance profiles (which may contain session cookies), Meshery application data, or any Kubernetes configuration added to the system. The Meshery project exposes the function `GetAllEvents` at the API URL `/api/v2/events`. The sort query parameter read in `events_streamer.go` is directly used to build a SQL query in `events_persister.go`. Version 0.7.22 fixes this issue by using the `SanitizeOrderInput` function.

CVSS Score

5.9

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Layer5	Meshery	< 0.7.22

Related Weaknesses (CWE)

CWE-89

References

https://github.com/meshery/meshery/blob/b331f45c9083d7abf6b90105072b04cd22473de7Product
https://github.com/meshery/meshery/blob/b331f45c9083d7abf6b90105072b04cd22473de7Product
https://github.com/meshery/meshery/commit/b55f6064d0c6a965aee38f30281f99da7dc442Patch
https://github.com/meshery/meshery/pull/10280Issue TrackingPatch
https://securitylab.github.com/advisories/GHSL-2024-013_GHSL-2024-014_Meshery/ExploitThird Party Advisory
https://github.com/meshery/meshery/blob/b331f45c9083d7abf6b90105072b04cd22473de7Product
https://github.com/meshery/meshery/blob/b331f45c9083d7abf6b90105072b04cd22473de7Product
https://github.com/meshery/meshery/commit/b55f6064d0c6a965aee38f30281f99da7dc442Patch
https://github.com/meshery/meshery/pull/10280Issue TrackingPatch
https://securitylab.github.com/advisories/GHSL-2024-013_GHSL-2024-014_Meshery/ExploitThird Party Advisory

FAQ

What is CVE-2024-35182?

CVE-2024-35182 is a vulnerability with a CVSS score of 5.9 (MEDIUM). Meshery is an open source, cloud native manager that enables the design and management of Kubernetes-based infrastructure and applications. A SQL injection vulnerability in Meshery prior to version 0....

How severe is CVE-2024-35182?

CVE-2024-35182 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-35182?

Check the references section above for vendor advisories and patch information. Affected products include: Layer5 Meshery.