CVE-2023-29194Improper Input Validation in Vitess

CWE-20Improper Input ValidationCWE-703Improper Check or Handling of Exceptional Conditions5 documents4 sources
Severity
2.7LOWNVD
EPSS
0.6%
top 29.19%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Vitessio VitessVitess.io VitessLinuxfoundation Vitess+3 more
Timeline
Latest updateApr 12
PublishedApr 14

Description

Vitess is a database clustering system for horizontal scaling of MySQL. Users can either intentionally or inadvertently create a keyspace containing `/` characters such that from that point on, anyone who tries to view keyspaces from VTAdmin will receive an error. Trying to list all the keyspaces using `vtctldclient GetKeyspaces` will also return an error. Note that all other keyspaces can still be administered using the CLI (vtctldclient). This issue is fixed in version 16.0.1. As a workaround,

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:LExploitability: 1.2 | Impact: 1.4

Affected Packages6 packages

CVEListV5vitessio/vitess< 0.16.1
Govitess.io/vitess< 0.16.1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
OSV
Improper handling of keyspaces in vitess.io/vitess2023-04-12
OSV
vitess allows users to create keyspaces that can deny access to already existing keyspaces2023-04-11
GHSA
vitess allows users to create keyspaces that can deny access to already existing keyspaces2023-04-11

📋Vendor Advisories

1
Microsoft
vitess allows users to create keyspaces that can deny access to already existing keyspaces2023-04-11