CVE-2024-53257 – vitess.io/vitess

Package

Manager: go
Name: vitess.io/vitess
Vulnerable Version: >=0.21.0-rc1 <0.21.1 || >=0.20.0-rc1 <0.20.4 || >=0 <0.19.8

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00028 pctl0.06262

Details

Vitess allows HTML injection in /debug/querylogz & /debug/env ### Summary The `/debug/querylogz` and `/debug/env` pages for `vtgate` and `vttablet` do not properly escape user input. The result is that queries executed by Vitess can write HTML into the monitoring page at will. ### Details These pages are rendered using `text/template` instead of rendering with a proper HTML templating engine. ### PoC Execute any query where part of it is HTML markup, for example as part of a string. To make it easier to observe you might want to make sure the query takes a few seconds to complete, giving you time to refresh the status page. Example query that can trigger the issue: ```sql UPDATE users SET email = CONCAT("<img src=https://cataas.com/cat/says/oops>", users.idUser, "@xxx") WHERE email NOT LIKE '%xxx%' AND email != "demo@xxx.com" ``` Result:  ### Impact Anyone looking at the Vitess status page is affected. This would normally be owners / administrators of the Vitess cluster. Anyone that can influence what text show up in queries can trigger it. This would normally be pretty much everybody interacting with a system that uses Vitess as a backend.

Metadata

Created: 2024-12-03T18:43:33Z
Modified: 2024-12-16T15:26:04Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-7mwh-q3xm-qh6p/GHSA-7mwh-q3xm-qh6p.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-7mwh-q3xm-qh6p
Finding: F425
Auto approve: 1