Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS03MzVyLWh2NjctZzM4Zs4AAyrt

vitess allows users to create keyspaces that can deny access to already existing keyspaces

Impact

Users can either intentionally or inadvertently create a keyspace containing / characters such that from that point on, anyone who tries to view keyspaces from VTAdmin will receive an error. Trying to list all the keyspaces using vtctldclient GetKeyspaces will also return an error.
Note that all other keyspaces can still be administered using the CLI (vtctldclient).

Patches

v16.0.1 (corresponding to 0.16.1 on pkg.go.dev)

Workarounds

Delete the offending keyspace using a CLI client (vtctldclient)

vtctldclient --server ... DeleteKeyspace a/b

Found during a security audit sponsored by the CNCF and facilitated by OSTIF.

Permalink: https://github.com/advisories/GHSA-735r-hv67-g38f
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03MzVyLWh2NjctZzM4Zs4AAyrt
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 year ago
Updated: about 1 year ago

CVSS Score: 4.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L

Identifiers: GHSA-735r-hv67-g38f, CVE-2023-29194
References:

• https://github.com/vitessio/vitess/security/advisories/GHSA-735r-hv67-g38f
• https://github.com/vitessio/vitess/commit/adf10196760ad0b3991a7aa7a8580a544e6ddf88
• https://github.com/vitessio/vitess/commits/v0.16.1/
• https://nvd.nist.gov/vuln/detail/CVE-2023-29194
• https://github.com/advisories/GHSA-735r-hv67-g38f

Repository: https://github.com/vitessio/vitess
Blast Radius: 9.7

Affected Packages