Vitess is a database clustering system for horizontal scaling of MySQL through generalized sharding. Prior to version 16.0.2, users can either intentionally or inadvertently create a shard containing `/` characters from VTAdmin such that from that point on, anyone who tries to create a new shard from VTAdmin will receive an error. Attempting to view the keyspace(s) will also no longer work. Creating a shard using `vtctldclient` does not have the same problem because the CLI validates the input correctly. Version 16.0.2, corresponding to version 0.16.2 of the `go` module, contains a patch for this issue. Some workarounds are available. Always use `vtctldclient` to create shards, instead of using VTAdmin; disable creating shards from VTAdmin using RBAC; and/or delete the topology record for the offending shard using the client for your topology server.
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
| Link | Tags |
|---|---|
| https://github.com/vitessio/vitess/security/advisories/GHSA-pqj7-jx24-wj7w | mitigation vendor advisory |
| https://github.com/vitessio/vitess/issues/12842 | patch issue tracking exploit |
| https://github.com/vitessio/vitess/pull/12843 | patch issue tracking |
| https://github.com/vitessio/vitess/commit/9dcbd7de3180f47e94f54989fb5c66daea00c920 | patch |
| https://github.com/vitessio/vitess/releases/tag/v16.0.2 | release notes |
| https://pkg.go.dev/vitess.io/vitess@v0.16.2 | product |