CVE-2023-29194 MEDIUM

CVE-2023-29194: vitess allows users to create keyspaces that can deny access to already existing keyspaces

Vendor Vitessio
Product vitess
Weakness CWE-20 · Input validation
Published April 14, 2023
Last update February 6, 2025

CVSS base score

4.1/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L

What the vulnerability does

01Description

Vitess is a database clustering system for horizontal scaling of MySQL. Users can either intentionally or inadvertently create a keyspace containing `/` characters such that from that point on, anyone who tries to view keyspaces from VTAdmin will receive an error. Trying to list all the keyspaces using `vtctldclient GetKeyspaces` will also return an error. Note that all other keyspaces can still be administered using the CLI (vtctldclient). This issue is fixed in version 16.0.1. As a workaround, delete the offending keyspace using a CLI client (vtctldclient).

Key dates

02Disclosure timeline

April 14, 2023 CVE published
February 6, 2025 Record updated