CVE-2024-32886Infinite Loop in Vitess

CWE-835Infinite Loop5 documents4 sources
Severity
4.9MEDIUMNVD
EPSS
0.1%
top 72.40%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
Vitessio VitessGithub.com Vitessio VitessVitess.io Vitess+4 more
Timeline
PublishedMay 8
Latest updateMay 14

Description

Vitess is a database clustering system for horizontal scaling of MySQL. When executing the following simple query, the `vtgate` will go into an endless loop that also keeps consuming memory and eventually will run out of memory. This vulnerability is fixed in 19.0.4, 18.0.5, and 17.0.7.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:HExploitability: 1.2 | Impact: 3.6

Affected Packages7 packages

CVEListV5vitessio/vitess< 17.0.7+2
Govitess.io/vitess0.18.00.18.5+2
Gogithub.com/vitessio_vitess19.0.019.0.4+2

🔴Vulnerability Details

3
OSV
Denial of service attack by triggering unbounded memory usage in vitess.io/vitess2024-05-10
OSV
Vitess vulnerable to infinite memory consumption and vtgate crash2024-05-08
GHSA
Vitess vulnerable to infinite memory consumption and vtgate crash2024-05-08

📋Vendor Advisories

1
Microsoft
Vitess vulnerable to infinite memory consumption and vtgate crash2024-05-14