CVE-2024-53257
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-53257
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-53257.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-53257
- Aliases
- Related
- Published
- 2024-12-03T16:15:23Z
- Modified
- 2025-05-18T03:33:58.620580Z
- Downstream
- Summary
- [none]
- Details
-
Vitess is a database clustering system for horizontal scaling of MySQL. The /debug/querylogz and /debug/env pages for vtgate and vttablet do not properly escape user input. The result is that queries executed by Vitess can write HTML into the monitoring page at will. These pages are rendered using text/template instead of rendering with a proper HTML templating engine. This vulnerability is fixed in 21.0.1, 20.0.4, and 19.0.8.
- References
Affected packages
Git / github.com/vitessio/vitess
Affected ranges
- Type
- GIT
- Repo
- https://github.com/vitessio/vitess
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v0.*
v0.10.0
v0.10.2
v0.8.0
v0.9.0
v0.9.1
v10.*
v10.0.0
v10.0.0-rc1
v10.0.0-rc1-mysql80
v10.0.1
v10.0.2
v11.*
v11.0.0-rc1
v2.*
v2.0.0-alpha1
v2.0.0-alpha2
v2.0.0-alpha3
v2.0.0-alpha4
v2.0.0-alpha5
v2.0.0-beta.1
v2.0.0-beta.2
v2.0.0-rc.1
v2.0.0-rc.2
v2.1.0-alpha.1
v2.2
v2.2-alpha
v2.2.0-rc.1
v3.*
v3.0
v3.0.0-rc.1
v3.0.0-rc.2
v3.0.0-rc.3
v5.*
v5.0.0
v5.0.1
v6.*
v6.0.0-rc.1
v7.*
v7.0.0-beta
v8.*
v8.0.0
v8.0.0-rc1
v8.0.0-test
v9.*
v9.0.0
v9.0.0-rc1
v9.0.1
v9.0.2