CVE-2024-53257

Name of the Vulnerable Software and Affected Versions Vitess versions prior to 19.0.8 Vitess versions prior to 20.0.4 Vitess versions prior to 21.0.1

Description Vitess is a database clustering system for horizontal scaling of MySQL. The /debug/querylogz and /debug/env pages for vtgate and vttablet do not properly escape user input, allowing queries executed by Vitess to write HTML into the monitoring page at will. These pages are rendered using text/template instead of a proper HTML templating engine. Anyone looking at the Vitess status page is affected, typically owners or administrators of the Vitess cluster. Anyone who can influence the text that shows up in queries can trigger this issue.

Recommendations For Vitess versions prior to 19.0.8, update to version 19.0.8 or later. For Vitess versions prior to 20.0.4, update to version 20.0.4 or later. For Vitess versions prior to 21.0.1, update to version 21.0.1 or later. As a temporary workaround, consider restricting access to the /debug/querylogz and /debug/env pages for vtgate and vttablet until the issue is resolved. Avoid using queries that include HTML markup until the issue is fixed.