CVE-2023-29194

vitess allows users to create keyspaces that can deny access to already existing keyspaces

Description

Vitess is a database clustering system for horizontal scaling of MySQL. Users can either intentionally or inadvertently create a keyspace containing `/` characters such that from that point on, anyone who tries to view keyspaces from VTAdmin will receive an error. Trying to list all the keyspaces using `vtctldclient GetKeyspaces` will also return an error. Note that all other keyspaces can still be administered using the CLI (vtctldclient). This issue is fixed in version 16.0.1. As a workaround, delete the offending keyspace using a CLI client (vtctldclient).

Category

4.1
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.07%
Vendor Advisory github.com
Affected: vitessio vitess
Published at:
Updated at:

References

Link Tags
https://github.com/vitessio/vitess/security/advisories/GHSA-735r-hv67-g38f vendor advisory
https://github.com/vitessio/vitess/commit/adf10196760ad0b3991a7aa7a8580a544e6ddf88 patch
https://github.com/vitessio/vitess/commits/v0.16.1/ release notes

Frequently Asked Questions

What is the severity of CVE-2023-29194?
CVE-2023-29194 has been scored as a medium severity vulnerability.
How to fix CVE-2023-29194?
To fix CVE-2023-29194, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-29194 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2023-29194 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-29194?
CVE-2023-29194 affects vitessio vitess.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.