You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description:
Vitess is a database clustering system for horizontal scaling of MySQL through generalized sharding. Prior to version 16.0.2, users can either intentionally or inadvertently create a shard containing / characters from VTAdmin such that from that point on, anyone who tries to create a new shard from VTAdmin will receive an error. Attempting to view the keyspace(s) will also no longer work. Creating a shard using vtctldclient does not have the same problem because the CLI validates the input correctly. Version 16.0.2, corresponding to version 0.16.2 of the go module, contains a patch for this issue. Some workarounds are available. Always use vtctldclient to create shards, instead of using VTAdmin; disable creating shards from VTAdmin using RBAC; and/or delete the topology record for the offending shard using the client for your topology server.
Cross references:
No existing reports found with this module or alias.
See doc/triage.md for instructions on how to triage this report.
modules:
- module: github.com/vitessio/vitess
packages:
- package: vitess
description: |
Vitess is a database clustering system for horizontal scaling of MySQL through generalized sharding. Prior to version 16.0.2, users can either intentionally or inadvertently create a shard containing `/` characters from VTAdmin such that from that point on, anyone who tries to create a new shard from VTAdmin will receive an error. Attempting to view the keyspace(s) will also no longer work. Creating a shard using `vtctldclient` does not have the same problem because the CLI validates the input correctly. Version 16.0.2, corresponding to version 0.16.2 of the `go` module, contains a patch for this issue. Some workarounds are available. Always use `vtctldclient` to create shards, instead of using VTAdmin; disable creating shards from VTAdmin using RBAC; and/or delete the topology record for the offending shard using the client for your topology server.
cves:
- CVE-2023-29195
references:
- advisory: https://github.com/vitessio/vitess/security/advisories/GHSA-pqj7-jx24-wj7w
- report: https://github.com/vitessio/vitess/issues/12842
- fix: https://github.com/vitessio/vitess/pull/12843
- fix: https://github.com/vitessio/vitess/commit/9dcbd7de3180f47e94f54989fb5c66daea00c920
- web: https://github.com/vitessio/vitess/releases/tag/v16.0.2
- web: https://pkg.go.dev/vitess.io/[email protected]
The text was updated successfully, but these errors were encountered:
CVE-2023-29195 references github.com/vitessio/vitess, which may be a Go module.
Description:
Vitess is a database clustering system for horizontal scaling of MySQL through generalized sharding. Prior to version 16.0.2, users can either intentionally or inadvertently create a shard containing
/
characters from VTAdmin such that from that point on, anyone who tries to create a new shard from VTAdmin will receive an error. Attempting to view the keyspace(s) will also no longer work. Creating a shard usingvtctldclient
does not have the same problem because the CLI validates the input correctly. Version 16.0.2, corresponding to version 0.16.2 of thego
module, contains a patch for this issue. Some workarounds are available. Always usevtctldclient
to create shards, instead of using VTAdmin; disable creating shards from VTAdmin using RBAC; and/or delete the topology record for the offending shard using the client for your topology server.References:
Cross references:
No existing reports found with this module or alias.
See doc/triage.md for instructions on how to triage this report.
The text was updated successfully, but these errors were encountered: