Bug 1217505 (CVE-2023-46575)

Summary: VUL-0: CVE-2023-46575: mesheryctl: SQL injection in api/system/database endpoint
Product: [openSUSE] openSUSE Tumbleweed Reporter: SMASH SMASH <smash_bz>
Component: SecurityAssignee: Johannes Kastl <opensuse_buildservice>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: carlos.lopez
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/386057/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2023-11-27 06:46:11 UTC 
A SQL injection vulnerability in Meshery before 0.6.179 allows a remote attacker
to obtain sensitive information and execute arbitrary code via the order
parameter.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-46575
https://github.com/meshery/meshery/pull/9372
https://github.com/meshery/meshery/commit/ffe00967acfe4444a5db08ff3a4cafb9adf6013f
Comment 1 Johannes Kastl 2023-11-27 11:54:12 UTC 
Hi, thanks for the bug report.

I just sent 0.6.181 to Factory in SR#1129111
https://build.opensuse.org/request/show/1129111

If I understand your assessment properly, this should fix the issue.

Kind Regards,
Johannes