CVE-2024-35182

Name of the Vulnerable Software and Affected Versions Meshery versions prior to 0.7.22

Description A SQL injection vulnerability may lead to arbitrary file write by using a SQL injection stacked queries payload, and the ATTACH DATABASE command. Attackers may be able to access and modify any data stored in the database, like performance profiles, Meshery application data, or any Kubernetes configuration added to the system. The Meshery project exposes the function GetAllEvents at the API endpoint "/api/v2/events". The sort query parameter read in events streamer.go is directly used to build a SQL query in events persister.go.

Recommendations For versions prior to 0.7.22, update to version 0.7.22 or later, which fixes this issue by using the SanitizeOrderInput function. As a temporary workaround, consider restricting access to the /api/v2/events API endpoint until the issue is resolved. Avoid using the sort query parameter in the affected API endpoint until the issue is resolved.