GHSA-735r-hv67-g38f
Suggest an improvement- Source
- https://github.com/advisories/GHSA-735r-hv67-g38f
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-735r-hv67-g38f/GHSA-735r-hv67-g38f.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-735r-hv67-g38f
- Aliases
- Related
- Published
- 2023-04-11T21:12:42Z
- Modified
- 2024-05-20T21:51:28Z
- Severity
-
- 4.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVSS Calculator
- Summary
- vitess allows users to create keyspaces that can deny access to already existing keyspaces
- Details
-
Impact
Users can either intentionally or inadvertently create a keyspace containing
/characters such that from that point on, anyone who tries to view keyspaces from VTAdmin will receive an error. Trying to list all the keyspaces usingvtctldclient GetKeyspaceswill also return an error. Note that all other keyspaces can still be administered using the CLI (vtctldclient).Patches
v16.0.1 (corresponding to 0.16.1 on pkg.go.dev)
Workarounds
Delete the offending keyspace using a CLI client (vtctldclient)
vtctldclient --server ... DeleteKeyspace a/bFound during a security audit sponsored by the CNCF and facilitated by OSTIF.
- Database specific
{ "nvd_published_at": "2023-04-14T19:15:00Z", "cwe_ids": [ "CWE-20", "CWE-703" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2023-04-11T21:12:42Z" }- References
Affected packages
Go / vitess.io/vitess
Package
- Name
- vitess.io/vitess
- View open source insights on deps.dev
- Purl
- pkg:golang/vitess.io/vitess