9.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-46575

GHSA ID

GHSA-9jjc-grg5-67gj

EPSS Score

0.70849%

CWE

CWE-89

Published

11/24/2023

Updated

11/28/2023

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-46575

CVE-2023-46575: SQL injection vulnerability in Meshery

A SQL injection vulnerability in Meshery before 0.6.179 allows a remote attacker to obtain sensitive information and execute arbitrary code via the order parameter.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-46575

CVE-2023-46575:

9.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-46575

GHSA ID

GHSA-9jjc-grg5-67gj

EPSS Score

0.70849%

CWE

CWE-89

Published

11/24/2023

Updated

11/28/2023

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/layer5io/meshery	go	< 0.6.179	0.6.179

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The critical vulnerability stemmed from the GetSystemDatabase handler not sanitizing the 'order' parameter before using it in SQL queries. The patch added 'order = models.SanitizeOrderInput(...)' immediately before query construction, indicating this parameter was previously unsanitized. While other functions used a 'sanitizeOrderInput' function pre-patch, they were at least attempting input validation (though its effectiveness would require deeper analysis). The GetSystemDatabase handler's complete lack of sanitization for this user-controlled parameter made it a clear injection vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

9.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-46575: SQL injection vulnerability in Meshery

CVE-2023-46575:

9.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2023-46575: SQL injection vulnerability in Meshery

9.1

9.1

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI