CVE-2024-35181

Name of the Vulnerable Software and Affected Versions Meshery versions prior to 0.7.22

Description A SQL injection issue may lead to arbitrary file write by using a SQL injection stacked queries payload and the ATTACH DATABASE command. Attackers may be able to access and modify any data stored in the database, including performance profiles, Meshery application data, or Kubernetes configuration. The Meshery project exposes the function GetMeshSyncResourcesKinds at the API endpoint "/api/system/meshsync/resources/kinds". The order query parameter is directly used to build a SQL query in meshync handler.go.

Recommendations For Meshery versions prior to 0.7.22, update to version 0.7.22 to resolve the issue. As a temporary workaround, consider restricting access to the /api/system/meshsync/resources/kinds API endpoint until a patch is available. Avoid using the order query parameter in the affected API endpoint until the issue is resolved.