CVE-2024-53257: Vitess allows HTML injection in /debug/querylogz & /debug/env

December 3, 2024 (updated December 16, 2024)

The /debug/querylogz and /debug/env pages for vtgate and vttablet do not properly escape user input. The result is that queries executed by Vitess can write HTML into the monitoring page at will.

References

github.com/advisories/GHSA-7mwh-q3xm-qh6p
github.com/vitessio/vitess
github.com/vitessio/vitess/commit/2b71d1b5f8ca676beeab2875525003cd45096217
github.com/vitessio/vitess/security/advisories/GHSA-7mwh-q3xm-qh6p
nvd.nist.gov/vuln/detail/CVE-2024-53257

Detect and mitigate CVE-2024-53257 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →