CVE-2024-53257
MEDIUM4.9EPSS 0.06%Vitess allows HTML injection in /debug/querylogz & /debug/env
Description
### Summary The `/debug/querylogz` and `/debug/env` pages for `vtgate` and `vttablet` do not properly escape user input. The result is that queries executed by Vitess can write HTML into the monitoring page at will. ### Details These pages are rendered using `text/template` instead of rendering with a proper HTML templating engine. ### PoC Execute any query where part of it is HTML markup, for example as part of a string. To make it easier to observe you might want to make sure the query takes a few seconds to complete, giving you time to refresh the status page. Example query that can trigger the issue: ```sql UPDATE users SET email = CONCAT("<img src=https://cataas.com/cat/says/oops>", users.idUser, "@xxx") WHERE email NOT LIKE '%xxx%' AND email != "[email protected]" ``` Result:  ### Impact Anyone looking at the Vitess status page is affected. This would normally be owners / administrators of the Vitess cluster. Anyone that can influence what text show up in queries can trigger it. This would normally be pretty much everybody interacting with a system that uses Vitess as a backend.
Affected packages (2)
- Go/vitess.io/vitess>= 0.21.0-rc1, < 0.21.1
- Go/vitess.io/vitessfrom 0, < 0.19.8, >= 0.20.0, < 0.20.4, >= 0.21.0, < 0.21.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM4.9 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N |