CVE-2023-29194
MEDIUM4.1EPSS 0.47%vitess allows users to create keyspaces that can deny access to already existing keyspaces
Description
### Impact Users can either intentionally or inadvertently create a keyspace containing `/` characters such that from that point on, anyone who tries to view keyspaces from VTAdmin will receive an error. Trying to list all the keyspaces using `vtctldclient GetKeyspaces` will also return an error. Note that all other keyspaces can still be administered using the CLI (vtctldclient). ### Patches v16.0.1 (corresponding to 0.16.1 on pkg.go.dev) ### Workarounds Delete the offending keyspace using a CLI client (vtctldclient) ``` vtctldclient --server ... DeleteKeyspace a/b ``` Found during a security audit sponsored by the [CNCF](https://cncf.io) and facilitated by [OSTIF](https://ostif.org).
Affected packages (2)
- Go/vitess.io/vitessfrom 0, < 0.16.1
- Go/vitess.io/vitessfrom 0, < 0.16.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.1 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-29194
- PATCHhttps://github.com/vitessio/vitess
- PATCHhttps://github.com/vitessio/vitess/commits/v0.16.1/
- WEBhttps://github.com/vitessio/vitess/commit/adf10196760ad0b3991a7aa7a8580a544e6ddf88
- WEBhttps://github.com/vitessio/vitess/commits/v0.16.1
- WEBhttps://github.com/vitessio/vitess/security/advisories/GHSA-735r-hv67-g38f