Login Sign Up

CVE-2024-29031

7.5 HIGH
SQL Injection

📋 TL;DR

This SQL injection vulnerability in Meshery allows remote attackers to extract sensitive information from the database by manipulating the 'order' parameter in the GetMeshSyncResources function. Organizations running Meshery versions prior to 0.7.17 are affected, particularly those with internet-facing deployments.

💻 Affected Systems

Products:
  • Meshery
Versions: All versions prior to 0.7.17
Operating Systems: All platforms running Meshery
Default Config Vulnerable: ⚠️ Yes
Notes: All deployments with the vulnerable endpoint accessible are affected.

📦 What is this software?

Meshery by Layer5

View all CVEs affecting Meshery →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including extraction of sensitive configuration data, credentials, and infrastructure details, potentially leading to full system takeover.

🟠

Likely Case

Information disclosure of database contents including configuration details, service mesh data, and potentially sensitive operational information.

🟢

If Mitigated

Limited or no impact if proper input validation and parameterized queries are implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

SQL injection via the 'order' parameter suggests straightforward exploitation for information disclosure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.7.17

Vendor Advisory: https://github.com/meshery/meshery/commit/8e995ce21af02d32ef61689c1e1748a745917f13

Restart Required: Yes

Instructions:

1. Update Meshery to version 0.7.17 or later. 2. Restart the Meshery service. 3. Verify the patch is applied by checking the version.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement input validation to restrict the 'order' parameter to safe values

Network Access Restriction

all

Restrict network access to Meshery endpoints to trusted sources only

🧯 If You Can't Patch

  • Implement a web application firewall (WAF) with SQL injection protection rules
  • Restrict network access to Meshery to internal networks only

🔍 How to Verify

Check if Vulnerable:

Check Meshery version: if version is less than 0.7.17, the system is vulnerable.

Check Version:

mesheryctl version

Verify Fix Applied:

Confirm Meshery version is 0.7.17 or higher and test the GetMeshSyncResources endpoint with SQL injection attempts.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed parameter validation attempts
  • Suspicious 'order' parameter values in web logs

Network Indicators:

  • SQL injection patterns in HTTP requests to Meshery endpoints
  • Unusual database query patterns from Meshery application

SIEM Query:

source="meshery" AND (http_request LIKE "%order=%" AND http_request MATCH "[';]|UNION|SELECT")

📊 Metadata

CVE ID: CVE-2024-29031
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-89
Published: March 21, 2024
Last Updated: September 2, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-29031, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)