Meshery

meshery

Vendor: Layer5 • 6 CVEs

CVEs (6)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-36535 1Layer5 1Meshery Sep 3, 2025 Jul 24, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Insecure permissions in meshery v0.7.51 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token.
CVE-2024-35182 1Layer5 1Meshery Sep 2, 2025 May 27, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 Meshery is an open source, cloud native manager that enables the design and management of Kubernetes-based infrastructure and applications. A SQL injection vulnerability in Meshery prior to version 0.7.22 may lead to arb...Show more Meshery is an open source, cloud native manager that enables the design and management of Kubernetes-based infrastructure and applications. A SQL injection vulnerability in Meshery prior to version 0.7.22 may lead to arbitrary file write by using a SQL injection stacked queries payload, and the ATTACH DATABASE command. Additionally, attackers may be able to access and modify any data stored in the database, like performance profiles (which may contain session cookies), Meshery application data, or any Kubernetes configuration added to the system. The Meshery project exposes the function `GetAllEvents` at the API URL `/api/v2/events`. The sort query parameter read in `events_streamer.go` is directly used to build a SQL query in `events_persister.go`. Version 0.7.22 fixes this issue by using the `SanitizeOrderInput` function.Show less
CVE-2024-35181 1Layer5 1Meshery Sep 2, 2025 May 27, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 Meshery is an open source, cloud native manager that enables the design and management of Kubernetes-based infrastructure and applications. A SQL injection vulnerability in Meshery prior to version 0.7.22 may lead to arb...Show more Meshery is an open source, cloud native manager that enables the design and management of Kubernetes-based infrastructure and applications. A SQL injection vulnerability in Meshery prior to version 0.7.22 may lead to arbitrary file write by using a SQL injection stacked queries payload, and the ATTACH DATABASE command. Additionally, attackers may be able to access and modify any data stored in the database, like performance profiles (which may contain session cookies), Meshery application data, or any Kubernetes configuration added to the system. The Meshery project exposes the function `GetMeshSyncResourcesKinds` at the API URL `/api/system/meshsync/resources/kinds`. The order query parameter is directly used to build a SQL query in `meshync_handler.go`. Version 0.7.22 fixes this issue.Show less
CVE-2024-29031 1Layer5 1Meshery Sep 2, 2025 Mar 21, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 Meshery is an open source, cloud native manager that enables the design and management of Kubernetes-based infrastructure and applications. A SQL injection vulnerability in Meshery prior to version 0.7.17 allows a remote...Show more Meshery is an open source, cloud native manager that enables the design and management of Kubernetes-based infrastructure and applications. A SQL injection vulnerability in Meshery prior to version 0.7.17 allows a remote attacker to obtain sensitive information via the `order` parameter of `GetMeshSyncResources`. Version 0.7.17 contains a patch for this issue.Show less
CVE-2023-46575 1Layer5 1Meshery Nov 21, 2024 Nov 24, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 A SQL injection vulnerability exists in Meshery prior to version v0.6.179, enabling a remote attacker to retrieve sensitive information and execute arbitrary code through the “order” parameter
CVE-2021-31856 1Layer5 1Meshery Nov 21, 2024 Apr 28, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A SQL Injection vulnerability in the REST API in Layer5 Meshery 0.5.2 allows an attacker to execute arbitrary SQL commands via the /experimental/patternfiles endpoint (order parameter in GetMesheryPatterns in models/mesh...Show more A SQL Injection vulnerability in the REST API in Layer5 Meshery 0.5.2 allows an attacker to execute arbitrary SQL commands via the /experimental/patternfiles endpoint (order parameter in GetMesheryPatterns in models/meshery_pattern_persister.go).Show less