CVE-2024-53257: Vitess allows HTML injection in /debug/querylogz & /debug/env

First published: Tue Dec 03 2024(Updated: )

### Summary The `/debug/querylogz` and `/debug/env` pages for `vtgate` and `vttablet` do not properly escape user input. The result is that queries executed by Vitess can write HTML into the monitoring page at will. ### Details These pages are rendered using `text/template` instead of rendering with a proper HTML templating engine. ### PoC Execute any query where part of it is HTML markup, for example as part of a string. To make it easier to observe you might want to make sure the query takes a few seconds to complete, giving you time to refresh the status page. Example query that can trigger the issue: ```sql UPDATE users SET email = CONCAT("<img src=https://cataas.com/cat/says/oops>", users.idUser, "@xxx") WHERE email NOT LIKE '%xxx%' AND email != "demo@xxx.com" ``` Result:  ### Impact Anyone looking at the Vitess status page is affected. This would normally be owners / administrators of the Vitess cluster. Anyone that can influence what text show up in queries can trigger it. This would normally be pretty much everybody interacting with a system that uses Vitess as a backend.

Credit: security-advisories@github.com security-advisories@github.com

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/weakness
• agent/title
• agent/type
• agent/first-publish-date
• agent/references
• agent/description
• collector/nvd-cve
• source/NVD
• agent/severity
• agent/event
• collector/nvd-api
• agent/author
• collector/mitre-cve
• source/MITRE
• collector/github-advisory
• source/GitHub
• alias/GHSA-7mwh-q3xm-qh6p
• alias/CVE-2024-53257
• agent/software-canonical-lookup
• agent/tags
• collector/github-advisory-latest
• agent/last-modified-date
• agent/softwarecombine
• agent/trending
• package-manager/go