CVE-2024-32886
Denial of service attack by triggering unbounded memory usage in vitess.io/vitess
4.9
MEDIUM
CVSS 3.1
EPSS 0.13%
Description
When executing a query, the vtgate will go into an endless loop that also keeps consuming memory and eventually will OOM. This causes a denial of service.
How to fix CVE-2024-32886
To remediate CVE-2024-32886, upgrade the affected package to a fixed version below.
- Go/github.com/vitessio/vitess—upgrade to 19.0.4 or later
- —upgrade to 0.17.7 or later
- —upgrade to 0.17.7 or later
Is CVE-2024-32886 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- >= 19.0.0, < 19.0.4
- from 0, < 0.17.7
- from 0, < 0.17.7, >= 0.18.0, < 0.18.5, >= 0.19.0, < 0.19.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.9 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
References (9)
- ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-32886
- PATCHgithub.com/vitessio/vitess
- WEBgithub.com/vitessio/vitess/blob/8f6cfaaa643a08dc111395a75a2d250ee746cfa8/go/mysql/collations/charset/convert.go#L73-L79
- WEBgithub.com/vitessio/vitess/blob/8f6cfaaa643a08dc111395a75a2d250ee746cfa8/go/mysql/collations/charset/unicode/utf16.go#L69-L71