CVE-2024-53257Cross-site Scripting in Vitess

CWE-79Cross-site Scripting5 documents4 sources
Severity
4.9MEDIUMNVD
EPSS
0.0%
top 87.48%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Vitessio VitessVitess.io VitessMsrc Azl3 Vitess 19.0.4-7 ON Azure Linux 3.0+2 more
Timeline
PublishedDec 3
Latest updateDec 12

Description

Vitess is a database clustering system for horizontal scaling of MySQL. The /debug/querylogz and /debug/env pages for vtgate and vttablet do not properly escape user input. The result is that queries executed by Vitess can write HTML into the monitoring page at will. These pages are rendered using text/template instead of rendering with a proper HTML templating engine. This vulnerability is fixed in 21.0.1, 20.0.4, and 19.0.8.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages5 packages

CVEListV5vitessio/vitess< 19.0.8+2
Govitess.io/vitess0.21.0-rc10.21.1+4

🔴Vulnerability Details

3
OSV
Vitess allows HTML injection in /debug/querylogz and /debug/env in vitess.io/vitess2024-12-12
GHSA
Vitess allows HTML injection in /debug/querylogz & /debug/env2024-12-03
OSV
Vitess allows HTML injection in /debug/querylogz & /debug/env2024-12-03

📋Vendor Advisories

1
Microsoft
Vitess allows HTML injection in /debug/querylogz & /debug/env2024-12-10