CVE-2024-29031 - Vulnerability Details - OpenCVE

Meshery is an open source, cloud native manager that enables the design and management of Kubernetes-based infrastructure and applications. A SQL injection vulnerability in Meshery prior to version 0.7.17 allows a remote attacker to obtain sensitive information via the `order` parameter of `GetMeshSyncResources`. Version 0.7.17 contains a patch for this issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Layer5	Meshery

Configuration 1 [-]

cpe:2.3:a:layer5:meshery:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/meshery/meshery/commit/8e995ce21af02d32ef61689c1e1748a745917f13
https://github.com/meshery/meshery/pull/10207
https://securitylab.github.com/advisories/GHSL-2023-249_Meshery/

History

Tue, 02 Sep 2025 19:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Layer5 Layer5 meshery
CPEs		cpe:2.3:a:layer5:meshery::::::::
Vendors & Products		Layer5 Layer5 meshery

Tue, 15 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00328}`	epss `{'score': 0.00445}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-03-21T22:16:03.997Z

Updated: 2024-08-13T16:48:48.015Z

Reserved: 2024-03-14T16:59:47.612Z

Link: CVE-2024-29031

Vulnrichment

Updated: 2024-08-02T01:03:51.701Z

NVD

Status : Analyzed

Published: 2024-03-21T23:15:11.167

Modified: 2025-09-02T19:25:57.483

Link: CVE-2024-29031

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-29031", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-14T16:59:47.612Z", "datePublished": "2024-03-21T22:16:03.997Z", "dateUpdated": "2024-08-13T16:48:48.015Z"}, "containers": {"cna": {"title": "Meshery SQL Injection vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://securitylab.github.com/advisories/GHSL-2023-249_Meshery/", "tags": ["x_refsource_CONFIRM"], "url": "https://securitylab.github.com/advisories/GHSL-2023-249_Meshery/"}, {"name": "https://github.com/meshery/meshery/pull/10207", "tags": ["x_refsource_MISC"], "url": "https://github.com/meshery/meshery/pull/10207"}, {"name": "https://github.com/meshery/meshery/commit/8e995ce21af02d32ef61689c1e1748a745917f13", "tags": ["x_refsource_MISC"], "url": "https://github.com/meshery/meshery/commit/8e995ce21af02d32ef61689c1e1748a745917f13"}], "affected": [{"vendor": "meshery", "product": "meshery", "versions": [{"version": "< 0.7.17", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-21T22:16:03.997Z"}, "descriptions": [{"lang": "en", "value": "Meshery is an open source, cloud native manager that enables the design and management of Kubernetes-based infrastructure and applications. A SQL injection vulnerability in Meshery prior to version 0.7.17 allows a remote attacker to obtain sensitive information via the `order` parameter of `GetMeshSyncResources`. Version 0.7.17 contains a patch for this issue."}], "source": {"advisory": "GHSA-652r-q29p-m25h", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:03:51.701Z"}, "title": "CVE Program Container", "references": [{"name": "https://securitylab.github.com/advisories/GHSL-2023-249_Meshery/", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://securitylab.github.com/advisories/GHSL-2023-249_Meshery/"}, {"name": "https://github.com/meshery/meshery/pull/10207", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/meshery/meshery/pull/10207"}, {"name": "https://github.com/meshery/meshery/commit/8e995ce21af02d32ef61689c1e1748a745917f13", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/meshery/meshery/commit/8e995ce21af02d32ef61689c1e1748a745917f13"}]}, {"affected": [{"vendor": "layer5", "product": "meshery", "cpes": ["cpe:2.3:a:layer5:meshery:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "7.1.7", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-03-22T18:31:58.690556Z", "id": "CVE-2024-29031", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-13T16:48:48.015Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://securitylab.github.com/advisories/GHSL-2023-249_Meshery/", "name": "https://securitylab.github.com/advisories/GHSL-2023-249_Meshery/", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/meshery/meshery/pull/10207", "name": "https://github.com/meshery/meshery/pull/10207", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/meshery/meshery/commit/8e995ce21af02d32ef61689c1e1748a745917f13", "name": "https://github.com/meshery/meshery/commit/8e995ce21af02d32ef61689c1e1748a745917f13", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:03:51.701Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-29031", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-22T18:31:58.690556Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:layer5:meshery:*:*:*:*:*:*:*:*"], "vendor": "layer5", "product": "meshery", "versions": [{"status": "affected", "version": "0", "lessThan": "7.1.7", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-13T16:48:44.354Z"}}], "cna": {"title": "Meshery SQL Injection vulnerability", "source": {"advisory": "GHSA-652r-q29p-m25h", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "meshery", "product": "meshery", "versions": [{"status": "affected", "version": "< 0.7.17"}]}], "references": [{"url": "https://securitylab.github.com/advisories/GHSL-2023-249_Meshery/", "name": "https://securitylab.github.com/advisories/GHSL-2023-249_Meshery/", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/meshery/meshery/pull/10207", "name": "https://github.com/meshery/meshery/pull/10207", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/meshery/meshery/commit/8e995ce21af02d32ef61689c1e1748a745917f13", "name": "https://github.com/meshery/meshery/commit/8e995ce21af02d32ef61689c1e1748a745917f13", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Meshery is an open source, cloud native manager that enables the design and management of Kubernetes-based infrastructure and applications. A SQL injection vulnerability in Meshery prior to version 0.7.17 allows a remote attacker to obtain sensitive information via the `order` parameter of `GetMeshSyncResources`. Version 0.7.17 contains a patch for this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-21T22:16:03.997Z"}}}, "cveMetadata": {"cveId": "CVE-2024-29031", "state": "PUBLISHED", "dateUpdated": "2024-08-13T16:48:48.015Z", "dateReserved": "2024-03-14T16:59:47.612Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-03-21T22:16:03.997Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:layer5:meshery:*:*:*:*:*:*:*:*", "matchCriteriaId": "07263ED2-75B1-47A5-B5CC-8CE8ED67826E", "versionEndExcluding": "0.7.17", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Meshery is an open source, cloud native manager that enables the design and management of Kubernetes-based infrastructure and applications. A SQL injection vulnerability in Meshery prior to version 0.7.17 allows a remote attacker to obtain sensitive information via the `order` parameter of `GetMeshSyncResources`. Version 0.7.17 contains a patch for this issue."}, {"lang": "es", "value": "Meshery es un administrador nativo de la nube de c\u00f3digo abierto que permite el dise\u00f1o y la administraci\u00f3n de infraestructura y aplicaciones basadas en Kubernetes. Una vulnerabilidad de inyecci\u00f3n SQL en Meshery anterior a la versi\u00f3n 0.7.17 permite a un atacante remoto obtener informaci\u00f3n confidencial a trav\u00e9s del par\u00e1metro `order` de `GetMeshSyncResources`. La versi\u00f3n 0.7.17 contiene un parche para este problema."}], "id": "CVE-2024-29031", "lastModified": "2025-09-02T19:25:57.483", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-03-21T23:15:11.167", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/meshery/meshery/commit/8e995ce21af02d32ef61689c1e1748a745917f13"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/meshery/meshery/pull/10207"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://securitylab.github.com/advisories/GHSL-2023-249_Meshery/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/meshery/meshery/commit/8e995ce21af02d32ef61689c1e1748a745917f13"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/meshery/meshery/pull/10207"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://securitylab.github.com/advisories/GHSL-2023-249_Meshery/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Secondary"}]}