Lucene search

K

[email protected]NVD:CVE-2024-32886

HistoryMay 08, 2024 - 2:15 p.m.

CVE-2024-32886

2024-05-0814:15:08

CWE-835

[email protected]

web.nvd.nist.gov

vitess

mysql

database

clustering

endless loop

vulnerability

horizontal scaling

memory consumption

fix

4.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

5 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

10.4%

Vitess is a database clustering system for horizontal scaling of MySQL. When executing the following simple query, the vtgate will go into an endless loop that also keeps consuming memory and eventually will run out of memory. This vulnerability is fixed in 19.0.4, 18.0.5, and 17.0.7.

References

github.com/vitessio/vitess/blob/8f6cfaaa643a08dc111395a75a2d250ee746cfa8/go/mysql/collations/charset/convert.go#L73-L79

github.com/vitessio/vitess/blob/8f6cfaaa643a08dc111395a75a2d250ee746cfa8/go/mysql/collations/charset/unicode/utf16.go#L69-L71

github.com/vitessio/vitess/commit/2fd5ba1dbf6e9b32fdfdaf869d130066b1b5c0df

github.com/vitessio/vitess/commit/9df4b66550e46b5d7079e21ed0e1b0f49f92b055

github.com/vitessio/vitess/commit/c46dc5b6a4329a10589ca928392218d96031ac8d

github.com/vitessio/vitess/commit/d438adf7e34a6cf00fe441db80842ec669a99202

github.com/vitessio/vitess/security/advisories/GHSA-649x-hxfx-57j2

4.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

5 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

10.4%

Related for NVD:CVE-2024-32886

osv3 cvelist1 github1 vulnrichment1 veracode1 cve1