Vitess is a database clustering system for horizontal scaling of MySQL. The /debug/querylogz and /debug/env pages for vtgate and vttablet do not properly escape user input. The result is that queries executed by Vitess can write HTML into the monitoring page at will. These pages are rendered using text/template instead of rendering with a proper HTML templating engine. This vulnerability is fixed in 21.0.1, 20.0.4, and 19.0.8.
Metrics
Affected Vendors & Products
References
History
Tue, 03 Dec 2024 17:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Vitessio
Vitessio vitess |
|
CPEs | cpe:2.3:a:vitessio:vitess:*:*:*:*:*:*:*:* | |
Vendors & Products |
Vitessio
Vitessio vitess |
|
Metrics |
ssvc
|
Tue, 03 Dec 2024 16:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Vitess is a database clustering system for horizontal scaling of MySQL. The /debug/querylogz and /debug/env pages for vtgate and vttablet do not properly escape user input. The result is that queries executed by Vitess can write HTML into the monitoring page at will. These pages are rendered using text/template instead of rendering with a proper HTML templating engine. This vulnerability is fixed in 21.0.1, 20.0.4, and 19.0.8. | |
Title | Vitess allows HTML injection in /debug/querylogz & /debug/env | |
Weaknesses | CWE-79 | |
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2024-12-03T15:46:40.513Z
Updated: 2024-12-03T16:57:59.604Z
Reserved: 2024-11-19T20:08:14.480Z
Link: CVE-2024-53257
Vulnrichment
Updated: 2024-12-03T16:57:47.072Z
NVD
Status : Received
Published: 2024-12-03T16:15:23.693
Modified: 2024-12-03T16:15:23.693
Link: CVE-2024-53257
Redhat
No data.