Security Vulnerabilities
List of Announced Vulnerabilities
| DATE ANNOUNCED | CVE ID | SEVERITY (CVSS v3) | DESCRIPTION | AFFECTED COMPONENT | VULNERABLE VERSION | PATCHED VERSION | FIX DETAILS | LINKS |
|---|---|---|---|---|---|---|---|---|
| 2024-08-05 | CVE-2024-35182 | Medium (5.9) | A SQL injection vulnerability in Meshery prior to v0.7.22 in the events API (/api/v2/events, GetAllEvents) allows a remote attacker to execute arbitrary SQL via the sort parameter, including stacked queries and arbitrary file writes via ATTACH DATABASE. | Events API (GetAllEvents) | < v0.7.22 | v0.7.22 | PR #10280 | NVD, GHSA-h7cm-jvpp-69xf, GitHub Security Lab |
| 2024-08-05 | CVE-2024-35181 | Medium (5.9) | A SQL injection vulnerability in Meshery prior to v0.7.22 in the GetMeshSyncResourcesKinds handler (/api/system/meshsync/resources/kinds) allows a remote attacker to execute arbitrary SQL via the order parameter, including stacked queries and arbitrary file writes via ATTACH DATABASE. | MeshSync resources API (GetMeshSyncResourcesKinds) | < v0.7.22 | v0.7.22 | PR #10280 | NVD, GHSA-9f24-jrv4-f8g5, GitHub Security Lab |
| 2024-08-05 | CVE-2024-29031 | High (7.5) | A SQL injection vulnerability in Meshery prior to v0.7.17 allows a remote attacker to obtain sensitive information via the order parameter of the GetMeshSyncResources function. | MeshSync resources API (GetMeshSyncResources) | < v0.7.17 | v0.7.17 | PR #10207 | NVD, GHSA-652r-q29p-m25h, GitHub Security Lab |
| 2024-07-24 | CVE-2024-36535 | Critical (9.8) | Insecure default permissions in Meshery v0.7.51 allow an attacker to access sensitive data and escalate privileges by obtaining the Meshery ServiceAccount token. With the default Helm installation the interface is exposed on an external IP and permits open self-registration, so anyone who can reach it can sign up, gain broad visibility into cluster activity, deploy pods, and execute arbitrary code unless Meshery is secured or restricted to internal networks. | Default deployment / RBAC (ServiceAccount token) | v0.7.51 | Mitigation only | Mitigated by configuration — see Security Hardening and Authentication & Identity | NVD, cve.org, advisory |
| 2023-11-24 | CVE-2023-46575 | Critical (9.1) | A SQL injection vulnerability in Meshery prior to v0.6.179 enables a remote attacker to retrieve sensitive information and execute arbitrary code via the order parameter. | REST API (order parameter) | < v0.6.179 | v0.6.179 | PR #9372 | NVD, GHSA-9jjc-grg5-67gj |
| 2021-04-28 | CVE-2021-31856 | Critical (9.8) | A SQL Injection vulnerability in the REST API in Meshery 0.5.2 allows an attacker to execute arbitrary SQL commands via the /experimental/patternfiles endpoint (order parameter in GetMesheryPatterns in models/meshery_pattern_persister.go). | REST API | v0.5.2 | v0.5.3 | PR #2745 | NVD, mitre, details |
Reporting a vulnerability
We are very grateful to the security researchers and users that report back Meshery security vulnerabilities. We investigate every report thoroughly.
To make a report, send an email to the private security@meshery.io mailing list with the vulnerability details. For normal product bugs unrelated to latent security vulnerabilities, please head to the appropriate repository and submit a new issue.
When to report a security vulnerability?
Send us a report whenever you:
- Think Meshery has a potential security vulnerability.
- Are unsure whether or how a vulnerability affects Meshery.
- Think a vulnerability is present in another project that Meshery depends on (Docker for example).
When not to report a security vulnerability?
Don’t send a vulnerability report if:
- You need help tuning Meshery components for security.
- You need help applying security related updates.
- Your issue is not security related.
Instead, join the community Slack and ask questions.
Evaluation
The Meshery team acknowledges and analyzes each vulnerability report within 10 working days.
Any vulnerability information you share with the Meshery team stays within the Meshery project. We don’t disseminate the information to other projects. We only share the information as needed to fix the issue.
We keep the reporter updated as the status of the security issue is addressed.
Fixing the issue
Once a security vulnerability has been fully characterized, a fix is developed by the Meshery team. The development and testing for the fix happens in a private GitHub repository in order to prevent premature disclosure of the vulnerability.
Early disclosures
The Meshery project maintains a mailing list for private early disclosure of security vulnerabilities. The list is used to provide actionable information to close Meshery partners. The list is not intended for individuals to find out about security issues.
Public disclosures
On the day chosen for public disclosure, a sequence of activities takes place as quickly as possible:
Changes are merged from the private GitHub repository holding the fix into the appropriate set of public branches.
Meshery team ensures all necessary binaries are promptly built and published.
Once the binaries are available, an announcement is sent out on the following channels:
- The Meshery blog
- The Meshery X feed
- The #announcements channel on community Slack
As much as possible this announcement will be actionable, and include any mitigating steps customers can take prior to upgrading to a fixed version.