cbcvebase.
CVE-2024-53257
published 2024-12-03

CVE-2024-53257: Vitess is a database clustering system for horizontal scaling of MySQL. The /debug/querylogz and /debug/env pages for vtgate and vttablet do not properly…

PriorityP424medium4.9CVSS 3.1
AVNACLPRHUINSUCNIHAN
EPSS
0.43%
34.2th percentile
Vitess is a database clustering system for horizontal scaling of MySQL. The /debug/querylogz and /debug/env pages for vtgate and vttablet do not properly escape user input. The result is that queries executed by Vitess can write HTML into the monitoring page at will. These pages are rendered using text/template instead of rendering with a proper HTML templating engine. This vulnerability is fixed in 21.0.1, 20.0.4, and 19.0.8.

Affected

11 ranges
VendorProductVersion rangeFixed in
msrcazl3_vitess_19.0.4-7_on_azure_linux_3.0
msrccbl2_vitess_17.0.7-6_on_cbl_mariner_2.0
msrccbl2_vitess_17.0.7-8_on_cbl_mariner_2.0
vitess.iovitess>= 0 < 0.19.80.19.8
vitess.iovitess>= 0.20.0 < 0.20.40.20.4
vitess.iovitess>= 0.20.0-rc1 < 0.20.40.20.4
vitess.iovitess>= 0.21.0 < 0.21.10.21.1
vitess.iovitess>= 0.21.0-rc1 < 0.21.10.21.1
vitessiovitess< 19.0.819.0.8
vitessiovitess
vitessiovitess

CVSS provenance

nvdv3.14.9MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
vendor_msrc4.9MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.