Vitess is a database clustering system for horizontal scaling of MySQL. The /debug/querylogz and /debug/env pages for vtgate and vttablet do not properly escape user input. The result is that queries executed by Vitess can write HTML into the monitoring page at will. These pages are rendered using text/template instead of rendering with a proper HTML templating engine. This vulnerability is fixed in 21.0.1, 20.0.4, and 19.0.8.
History

Tue, 03 Dec 2024 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Vitessio
Vitessio vitess
CPEs cpe:2.3:a:vitessio:vitess:*:*:*:*:*:*:*:*
Vendors & Products Vitessio
Vitessio vitess
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 03 Dec 2024 16:00:00 +0000

Type Values Removed Values Added
Description Vitess is a database clustering system for horizontal scaling of MySQL. The /debug/querylogz and /debug/env pages for vtgate and vttablet do not properly escape user input. The result is that queries executed by Vitess can write HTML into the monitoring page at will. These pages are rendered using text/template instead of rendering with a proper HTML templating engine. This vulnerability is fixed in 21.0.1, 20.0.4, and 19.0.8.
Title Vitess allows HTML injection in /debug/querylogz & /debug/env
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-12-03T15:46:40.513Z

Updated: 2024-12-03T16:57:59.604Z

Reserved: 2024-11-19T20:08:14.480Z

Link: CVE-2024-53257

cve-icon Vulnrichment

Updated: 2024-12-03T16:57:47.072Z

cve-icon NVD

Status : Received

Published: 2024-12-03T16:15:23.693

Modified: 2024-12-03T16:15:23.693

Link: CVE-2024-53257

cve-icon Redhat

No data.