CVE-2023-29195

2023-05-1120:15:09

CWE-20

CWE-703

[email protected]

web.nvd.nist.gov

vitess

database

clustering

cve-2023-29195

mysql

sharding

vtadmin

vtctldclient

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

4.3 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

36.7%

JSON

Vitess is a database clustering system for horizontal scaling of MySQL through generalized sharding. Prior to version 16.0.2, users can either intentionally or inadvertently create a shard containing / characters from VTAdmin such that from that point on, anyone who tries to create a new shard from VTAdmin will receive an error. Attempting to view the keyspace(s) will also no longer work. Creating a shard using vtctldclient does not have the same problem because the CLI validates the input correctly. Version 16.0.2, corresponding to version 0.16.2 of the go module, contains a patch for this issue. Some workarounds are available. Always use vtctldclient to create shards, instead of using VTAdmin; disable creating shards from VTAdmin using RBAC; and/or delete the topology record for the offending shard using the client for your topology server.

Affected configurations

Vulners

NVD

Node

vitessiovitessRange<16.0.2

CPENameOperatorVersion
linuxfoundation:vitesslinuxfoundation vitesslt16.0.2

CPE	Name	Operator	Version
linuxfoundation:vitess	linuxfoundation vitess	lt	16.0.2

CNA Affected

[
  {
    "vendor": "vitessio",
    "product": "vitess",
    "versions": [
      {
        "version": "< 16.0.2",
        "status": "affected"
      }
    ]
  }
]