x/vulndb: potential Go vuln in github.com/layer5io/meshery: GHSA-h7cm-jvpp-69xf

[GoVulnBot]

Advisory GHSA-h7cm-jvpp-69xf references a vulnerability in the following Go modules:

Module
github.com/layer5io/meshery

Description:
Meshery is an open source, cloud native manager that enables the design and management of Kubernetes-based infrastructure and applications. A SQL injection vulnerability in Meshery prior to version 0.7.22 may lead to arbitrary file write by using a SQL injection stacked queries payload, and the ATTACH DATABASE command. Additionally, attackers may be able to access and modify any data stored in the database, like performance profiles (which may contain session cookies), Meshery application data, or any Kubernetes configuration added to the system. The Meshery project exposes the function `GetAl...

References:

• ADVISORY: GHSA-h7cm-jvpp-69xf
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-35182
• FIX: meshery/meshery@b55f606
• FIX: Fix more SQL injections meshery/meshery#10280
• WEB: https://github.com/meshery/meshery/blob/b331f45c9083d7abf6b90105072b04cd22473de7/server/handlers/events_streamer.go#L52
• WEB: https://github.com/meshery/meshery/blob/b331f45c9083d7abf6b90105072b04cd22473de7/server/models/events_persister.go#L47
• WEB: https://securitylab.github.com/advisories/GHSL-2024-013_GHSL-2024-014_Meshery

Cross references:

• github.com/layer5io/meshery appears in 1 other report(s):
  • data/excluded/GO-2023-2353.yaml (x/vulndb: potential Go vuln in github.com/layer5io/meshery: GHSA-9jjc-grg5-67gj #2353) EFFECTIVELY_PRIVATE

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/layer5io/meshery
      non_go_versions:
        - fixed: 0.7.22
      vulnerable_at: 0.7.18
summary: Meshery SQL Injection vulnerability in github.com/layer5io/meshery
cves:
    - CVE-2024-35182
ghsas:
    - GHSA-h7cm-jvpp-69xf
references:
    - advisory: https://github.com/advisories/GHSA-h7cm-jvpp-69xf
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-35182
    - fix: https://github.com/meshery/meshery/commit/b55f6064d0c6a965aee38f30281f99da7dc4420c
    - fix: https://github.com/meshery/meshery/pull/10280
    - web: https://github.com/meshery/meshery/blob/b331f45c9083d7abf6b90105072b04cd22473de7/server/handlers/events_streamer.go#L52
    - web: https://github.com/meshery/meshery/blob/b331f45c9083d7abf6b90105072b04cd22473de7/server/models/events_persister.go#L47
    - web: https://securitylab.github.com/advisories/GHSL-2024-013_GHSL-2024-014_Meshery
source:
    id: GHSA-h7cm-jvpp-69xf
    created: 2024-08-05T22:04:43.00809188Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/603715 mentions this issue: data/reports: add 20 unreviewed reports

[gopherbot]

Change https://go.dev/cl/603716 mentions this issue: data/reports: add 19 unreviewed reports