QwikSec

Security Database

CVE

CWE

Training

CVE-2024-32886

Published: May 8, 2024

Modified: Aug 2, 2024

PUBLISHED

CVSS v3.1

4.9

MEDIUM

Description

Vitess is a database clustering system for horizontal scaling of MySQL. When executing the following simple query, the `vtgate` will go into an endless loop that also keeps consuming memory and eventually will run out of memory. This vulnerability is fixed in 19.0.4, 18.0.5, and 17.0.7.

Vendor	Product	Versions
vitessio	vitess	affected `< 17.0.7` affected `>= 18.0.0, < 18.0.5` affected `>= 19.0.0, < 19.0.4`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

References

https://github.com/vitessio/vitess/security/advisories/GHSA-649x-hxfx-57j2

x_refsource_CONFIRM

https://github.com/vitessio/vitess/commit/2fd5ba1dbf6e9b32fdfdaf869d130066b1b5c0df

x_refsource_MISC

https://github.com/vitessio/vitess/commit/9df4b66550e46b5d7079e21ed0e1b0f49f92b055

x_refsource_MISC

https://github.com/vitessio/vitess/commit/c46dc5b6a4329a10589ca928392218d96031ac8d

x_refsource_MISC

https://github.com/vitessio/vitess/commit/d438adf7e34a6cf00fe441db80842ec669a99202

x_refsource_MISC

https://github.com/vitessio/vitess/blob/8f6cfaaa643a08dc111395a75a2d250ee746cfa8/go/mysql/collations/charset/convert.go#L73-L79

x_refsource_MISC

https://github.com/vitessio/vitess/blob/8f6cfaaa643a08dc111395a75a2d250ee746cfa8/go/mysql/collations/charset/unicode/utf16.go#L69-L71

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.