1217505 – (CVE-2023-46575) VUL-0: CVE-2023-46575: mesheryctl: SQL injection in api/system/database endpoint

Bug 1217505 (CVE-2023-46575) - VUL-0: CVE-2023-46575: mesheryctl: SQL injection in api/system/database endpoint

Summary: VUL-0: CVE-2023-46575: mesheryctl: SQL injection in api/system/database endpoint

Status:	IN_PROGRESS

Alias:	CVE-2023-46575

Product:	openSUSE Tumbleweed
Classification:	openSUSE
Component:	Security (show other bugs)
Version:	Current
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal (vote)
Target Milestone:	---
Assignee:	Johannes Kastl
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/386057/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-11-27 06:46 UTC by SMASH SMASH
Modified:	2023-11-27 11:54 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2023-11-27 06:46:11 UTC

A SQL injection vulnerability in Meshery before 0.6.179 allows a remote attacker
to obtain sensitive information and execute arbitrary code via the order
parameter.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-46575
https://github.com/meshery/meshery/pull/9372
https://github.com/meshery/meshery/commit/ffe00967acfe4444a5db08ff3a4cafb9adf6013f

Comment 1 Johannes Kastl 2023-11-27 11:54:12 UTC

Hi, thanks for the bug report.

I just sent 0.6.181 to Factory in SR#1129111
https://build.opensuse.org/request/show/1129111

If I understand your assessment properly, this should fix the issue.

Kind Regards,
Johannes