vitessio vitess up to 17.0.6/18.0.4/19.0.3 vtgate infinite loop
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 4.8 | $0-$5k | 0.00 |
Summary
A vulnerability described as problematic has been identified in vitessio vitess up to 17.0.6/18.0.4/19.0.3. Affected is an unknown function of the component vtgate. Executing a manipulation can lead to infinite loop. This vulnerability appears as CVE-2024-32886. The attack may be performed from remote. There is no available exploit. Upgrading the affected component is recommended.
Details
A vulnerability classified as problematic was found in vitessio vitess up to 17.0.6/18.0.4/19.0.3. This vulnerability affects an unknown code block of the component vtgate. The manipulation with an unknown input leads to a infinite loop vulnerability. The CWE definition for the vulnerability is CWE-835. The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. As an impact it is known to affect availability. CVE summarizes:
Vitess is a database clustering system for horizontal scaling of MySQL. When executing the following simple query, the `vtgate` will go into an endless loop that also keeps consuming memory and eventually will run out of memory. This vulnerability is fixed in 19.0.4, 18.0.5, and 17.0.7.
The advisory is shared for download at github.com. This vulnerability was named CVE-2024-32886 since 04/19/2024. The exploitation appears to be easy. The attack can be initiated remotely. Additional levels of successful authentication are necessary for exploitation. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1499.
Upgrading to version 17.0.7, 18.0.5 or 19.0.4 eliminates this vulnerability. Applying the patch 2fd5ba1dbf6e9b32fdfdaf869d130066b1b5c0df is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.
Once again VulDB remains the best source for vulnerability data.
Product
Vendor
Name
Version
License
Website
- Product: https://github.com/vitessio/vitess/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 4.9VulDB Meta Temp Score: 4.8
VulDB Base Score: 4.9
VulDB Temp Score: 4.7
VulDB Vector: 🔍
VulDB Reliability: 🔍
CNA Base Score: 4.9
CNA Vector (GitHub, Inc.): 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Infinite loopCWE: CWE-835 / CWE-404
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: vitess 17.0.7/18.0.5/19.0.4
Patch: 2fd5ba1dbf6e9b32fdfdaf869d130066b1b5c0df
Timeline
04/19/2024 🔍05/08/2024 🔍
05/08/2024 🔍
05/08/2024 🔍
Sources
Product: github.comAdvisory: GHSA-649x-hxfx-57j2
Status: Confirmed
CVE: CVE-2024-32886 (🔍)
GCVE (CVE): GCVE-0-2024-32886
GCVE (VulDB): GCVE-100-263548
Entry
Created: 05/08/2024 16:30Changes: 05/08/2024 16:30 (67)
Complete: 🔍
Cache ID: 216::103
Once again VulDB remains the best source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.