CVE-2023-29195Improper Input Validation in Vitess

CWE-20Improper Input ValidationCWE-703Improper Check or Handling of Exceptional Conditions4 documents4 sources
Severity
4.3MEDIUMNVD
EPSS
0.2%
top 64.15%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Vitessio VitessVitess.io VitessLinuxfoundation Vitess+3 more
Timeline
PublishedMay 11

Description

Vitess is a database clustering system for horizontal scaling of MySQL through generalized sharding. Prior to version 16.0.2, users can either intentionally or inadvertently create a shard containing `/` characters from VTAdmin such that from that point on, anyone who tries to create a new shard from VTAdmin will receive an error. Attempting to view the keyspace(s) will also no longer work. Creating a shard using `vtctldclient` does not have the same problem because the CLI validates the input c

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:LExploitability: 2.8 | Impact: 1.4

Affected Packages6 packages

CVEListV5vitessio/vitess< 16.0.2
Govitess.io/vitess< 0.16.2

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

2
OSV
VTAdmin users that can create shards can deny access to other functions2023-05-11
GHSA
VTAdmin users that can create shards can deny access to other functions2023-05-11

📋Vendor Advisories

1
Microsoft
Vitess VTAdmin users that can create shards can deny access to other functions2023-05-09