CVE-2024-53257

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-53257
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-53257.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-53257
Aliases
Related
Published
2024-12-03T16:15:23Z
Modified
2025-01-15T05:06:16.306405Z
Summary
[none]
Details

Vitess is a database clustering system for horizontal scaling of MySQL. The /debug/querylogz and /debug/env pages for vtgate and vttablet do not properly escape user input. The result is that queries executed by Vitess can write HTML into the monitoring page at will. These pages are rendered using text/template instead of rendering with a proper HTML templating engine. This vulnerability is fixed in 21.0.1, 20.0.4, and 19.0.8.

References

Affected packages

Git / github.com/vitessio/vitess

Affected ranges

Type
GIT
Repo
https://github.com/vitessio/vitess
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

v0.*

v0.10.0
v0.10.2
v0.8.0
v0.9.0
v0.9.1

v10.*

v10.0.0
v10.0.0-rc1
v10.0.0-rc1-mysql80
v10.0.1
v10.0.2

v11.*

v11.0.0-rc1

v2.*

v2.0.0-alpha1
v2.0.0-alpha2
v2.0.0-alpha3
v2.0.0-alpha4
v2.0.0-alpha5
v2.0.0-beta.1
v2.0.0-beta.2
v2.0.0-rc.1
v2.0.0-rc.2
v2.1.0-alpha.1
v2.2
v2.2-alpha
v2.2.0-rc.1

v3.*

v3.0
v3.0.0-rc.1
v3.0.0-rc.2
v3.0.0-rc.3

v5.*

v5.0.0
v5.0.1

v6.*

v6.0.0-rc.1

v7.*

v7.0.0-beta

v8.*

v8.0.0
v8.0.0-rc1
v8.0.0-test

v9.*

v9.0.0
v9.0.0-rc1
v9.0.1
v9.0.2