CVE-2024-35181

Name: CVE-2024-35181
Creator: NVD / NIST
Published: 2024-05-27T19:15:08.62+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 8.1/10EPSS 1.60%

Last modified Jun 17, 2026

CVE-2024-35181 is a high-severity vulnerability rated 8.1/10 on the CVSS scale. Meshery is an open source, cloud native manager that enables the design and management of Kubernetes-based infrastructure and applications. A SQL injection vulnerability in Meshery prior to version 0.7.22 may lead to arbitrary file write by using a SQL injection stacked queries payload, and the ATTACH DATABASE command. EPSS estimates a 1.60% chance of exploitation in the next 30 days.

Description

Meshery is an open source, cloud native manager that enables the design and management of Kubernetes-based infrastructure and applications. A SQL injection vulnerability in Meshery prior to version 0.7.22 may lead to arbitrary file write by using a SQL injection stacked queries payload, and the ATTACH DATABASE command. Additionally, attackers may be able to access and modify any data stored in the database, like performance profiles (which may contain session cookies), Meshery application data, or any Kubernetes configuration added to the system. The Meshery project exposes the function `GetMeshSyncResourcesKinds` at the API URL `/api/system/meshsync/resources/kinds`. The order query parameter is directly used to build a SQL query in `meshync_handler.go`. Version 0.7.22 fixes this issue.

Metrics

CVSS 3.1

8.1/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Probability

1.60%

72.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-89

Affected Software

Vendor	Product	Versions
Layer5	Meshery	< 0.7.22

References

https://github.com/meshery/meshery/blob/b331f45c9083d7abf6b90105072b04cd22473de7/server/handlers/meshsync_handler.go#L187Product
https://github.com/meshery/meshery/commit/8e995ce21af02d32ef61689c1e1748a745917f13Patch
https://github.com/meshery/meshery/commit/b55f6064d0c6a965aee38f30281f99da7dc4420cPatch
https://github.com/meshery/meshery/pull/10207Issue Tracking, Patch
https://github.com/meshery/meshery/pull/10280Issue Tracking, Patch
https://securitylab.github.com/advisories/GHSL-2024-013_GHSL-2024-014_Meshery/Exploit, Third Party Advisory
https://github.com/meshery/meshery/blob/b331f45c9083d7abf6b90105072b04cd22473de7/server/handlers/meshsync_handler.go#L187Product
https://github.com/meshery/meshery/commit/8e995ce21af02d32ef61689c1e1748a745917f13Patch
https://github.com/meshery/meshery/commit/b55f6064d0c6a965aee38f30281f99da7dc4420cPatch
https://github.com/meshery/meshery/pull/10207Issue Tracking, Patch
https://github.com/meshery/meshery/pull/10280Issue Tracking, Patch
https://securitylab.github.com/advisories/GHSL-2024-013_GHSL-2024-014_Meshery/Exploit, Third Party Advisory

Timeline

Published: May 27, 2024
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2024-35181?

How severe is CVE-2024-35181?

CVE-2024-35181 has a CVSS score of 8.1/10 (HIGH severity). The EPSS model estimates a 1.60% probability of exploitation in the next 30 days.

How do I fix CVE-2024-35181?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2024-35181?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST