GHSA-pqj7-jx24-wj7w

Suggest an improvement
Source
https://github.com/advisories/GHSA-pqj7-jx24-wj7w
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-pqj7-jx24-wj7w/GHSA-pqj7-jx24-wj7w.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-pqj7-jx24-wj7w
Aliases
Published
2023-05-11T19:40:49Z
Modified
2023-11-08T04:12:17.029002Z
Severity
  • 4.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVSS Calculator
Summary
VTAdmin users that can create shards can deny access to other functions
Details

Impact

Users can either intentionally or inadvertently create a shard containing / characters from VTAdmin such that from that point on, anyone who tries to create a new shard from VTAdmin will receive an error. Attempting to view the keyspace(s) will also no longer work. Creating a shard using vtctldclient does not have the same problem because the CLI validates the input correctly.

Patches

v16.0.2, corresponding to 0.16.2 on pkg.go.dev

Workarounds

  • Always use vtctldclient to create shards, instead of using VTAdmin
  • Disable creating shards from VTAdmin using RBAC
  • Delete the topology record for the offending shard using the client for your topology server. For example, if you created a shard called a/b in keyspace commerce, and you are running etcd, it can be deleted by doing something like
    % etcdctl --endpoints "http://${ETCD_SERVER}" del /vitess/global/keyspaces/commerce/shards/a/b/Shard
    

References

https://github.com/vitessio/vitess/issues/12842

Found during a security audit sponsored by the CNCF and facilitated by OSTIF.

References

Affected packages

Go / vitess.io/vitess

Package

Name
vitess.io/vitess
View open source insights on deps.dev
Purl
pkg:golang/vitess.io/vitess

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.16.2