GHSA-9f24-jrv4-f8g5

Suggest an improvement
Source
https://github.com/advisories/GHSA-9f24-jrv4-f8g5
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-9f24-jrv4-f8g5/GHSA-9f24-jrv4-f8g5.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-9f24-jrv4-f8g5
Aliases
Published
2024-08-05T21:29:26Z
Modified
2024-08-06T23:11:58.563744Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N CVSS Calculator
  • 6.0 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Meshery SQL Injection vulnerability
Details

Meshery is an open source, cloud native manager that enables the design and management of Kubernetes-based infrastructure and applications. A SQL injection vulnerability in Meshery prior to version 0.7.22 may lead to arbitrary file write by using a SQL injection stacked queries payload, and the ATTACH DATABASE command. Additionally, attackers may be able to access and modify any data stored in the database, like performance profiles (which may contain session cookies), Meshery application data, or any Kubernetes configuration added to the system. The Meshery project exposes the function GetMeshSyncResourcesKinds at the API URL /api/system/meshsync/resources/kinds. The order query parameter is directly used to build a SQL query in meshync_handler.go. Version 0.7.22 fixes this issue.

Database specific 
{
    "nvd_published_at": "2024-05-27T19:15:08Z",
    "cwe_ids": [
        "CWE-89"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-05T21:29:26Z"
}
References

Affected packages

Go / github.com/layer5io/meshery

Package

Name
github.com/layer5io/meshery
View open source insights on deps.dev
Purl
pkg:golang/github.com/layer5io/meshery

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.7.22