CVE-2024-32886: Vitess vulnerable to infinite memory consumption and vtgate crash
When executing the following simple query, the vtgate will go into an endless loop that also keeps consuming memory and eventually will OOM.
References
- github.com/advisories/GHSA-649x-hxfx-57j2
- github.com/vitessio/vitess
- github.com/vitessio/vitess/blob/8f6cfaaa643a08dc111395a75a2d250ee746cfa8/go/mysql/collations/charset/convert.go
- github.com/vitessio/vitess/blob/8f6cfaaa643a08dc111395a75a2d250ee746cfa8/go/mysql/collations/charset/unicode/utf16.go
- github.com/vitessio/vitess/commit/2fd5ba1dbf6e9b32fdfdaf869d130066b1b5c0df
- github.com/vitessio/vitess/commit/9df4b66550e46b5d7079e21ed0e1b0f49f92b055
- github.com/vitessio/vitess/commit/c46dc5b6a4329a10589ca928392218d96031ac8d
- github.com/vitessio/vitess/commit/d438adf7e34a6cf00fe441db80842ec669a99202
- github.com/vitessio/vitess/security/advisories/GHSA-649x-hxfx-57j2
- nvd.nist.gov/vuln/detail/CVE-2024-32886
Detect and mitigate CVE-2024-32886 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →