Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: potential Go vuln in github.com/vitessio/vitess: CVE-2023-29195 #1770

Closed
GoVulnBot opened this issue May 11, 2023 · 1 comment
Closed
Assignees

Comments

@GoVulnBot
Copy link

CVE-2023-29195 references github.com/vitessio/vitess, which may be a Go module.

Description:
Vitess is a database clustering system for horizontal scaling of MySQL through generalized sharding. Prior to version 16.0.2, users can either intentionally or inadvertently create a shard containing / characters from VTAdmin such that from that point on, anyone who tries to create a new shard from VTAdmin will receive an error. Attempting to view the keyspace(s) will also no longer work. Creating a shard using vtctldclient does not have the same problem because the CLI validates the input correctly. Version 16.0.2, corresponding to version 0.16.2 of the go module, contains a patch for this issue. Some workarounds are available. Always use vtctldclient to create shards, instead of using VTAdmin; disable creating shards from VTAdmin using RBAC; and/or delete the topology record for the offending shard using the client for your topology server.

References:

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/vitessio/vitess
    packages:
      - package: vitess
description: |
    Vitess is a database clustering system for horizontal scaling of MySQL through generalized sharding. Prior to version 16.0.2, users can either intentionally or inadvertently create a shard containing `/` characters from VTAdmin such that from that point on, anyone who tries to create a new shard from VTAdmin will receive an error. Attempting to view the keyspace(s) will also no longer work. Creating a shard using `vtctldclient` does not have the same problem because the CLI validates the input correctly. Version 16.0.2, corresponding to version 0.16.2 of the `go` module, contains a patch for this issue. Some workarounds are available. Always use `vtctldclient` to create shards, instead of using VTAdmin; disable creating shards from VTAdmin using RBAC; and/or delete the topology record for the offending shard using the client for your topology server.
cves:
  - CVE-2023-29195
references:
  - advisory: https://github.com/vitessio/vitess/security/advisories/GHSA-pqj7-jx24-wj7w
  - report: https://github.com/vitessio/vitess/issues/12842
  - fix: https://github.com/vitessio/vitess/pull/12843
  - fix: https://github.com/vitessio/vitess/commit/9dcbd7de3180f47e94f54989fb5c66daea00c920
  - web: https://github.com/vitessio/vitess/releases/tag/v16.0.2
  - web: https://pkg.go.dev/vitess.io/[email protected]

@jba jba self-assigned this May 14, 2023
@jba jba added the duplicate label May 14, 2023
@jba
Copy link
Contributor

jba commented May 14, 2023

Duplicate of #1769

@jba jba marked this as a duplicate of #1769 May 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants