{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"moderate"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2024-53257","title":"Title"},{"category":"description","text":"Vitess is a database clustering system for horizontal scaling of MySQL. The /debug/querylogz and /debug/env pages for vtgate and vttablet do not properly escape user input. The result is that queries executed by Vitess can write HTML into the monitoring page at will. These pages are rendered using text/template instead of rendering with a proper HTML templating engine. This vulnerability is fixed in 21.0.1, 20.0.4, and 19.0.8.","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2024-53257","url":"https://www.suse.com/security/cve/CVE-2024-53257"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"Advisory link for openSUSE-SU-2024:14599-1","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QTUY324RV3FFZBHVIWDHRCIOPJHIJIN4/"}],"title":"SUSE CVE CVE-2024-53257","tracking":{"current_release_date":"2026-03-13T10:30:51Z","generator":{"date":"2024-12-19T03:49:39Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2024-53257","initial_release_date":"2024-12-19T03:49:39Z","revision_history":[{"date":"2024-12-19T03:49:39Z","number":"2","summary":"Current version"},{"date":"2024-12-20T03:48:54Z","number":"3","summary":"Current version"},{"date":"2025-02-14T04:04:12Z","number":"4","summary":"Current version"},{"date":"2025-02-16T03:56:32Z","number":"5","summary":"Current version"},{"date":"2025-03-15T04:14:29Z","number":"6","summary":"Current version"},{"date":"2025-04-24T11:43:29Z","number":"7","summary":"Current version"},{"date":"2025-11-03T01:08:30Z","number":"8","summary":"Current version"},{"date":"2026-01-16T00:42:54Z","number":"9","summary":"unknown changes"},{"date":"2026-03-11T17:54:29Z","number":"10","summary":"unknown changes"},{"date":"2026-03-13T10:30:51Z","number":"11","summary":"unknown changes"}],"status":"interim","version":"11"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_name","name":"SUSE Linux Enterprise Server 16.0","product":{"name":"SUSE Linux Enterprise Server 16.0","product_id":"SUSE Linux Enterprise Server 16.0","product_identification_helper":{"cpe":"cpe:/o:suse:sles:16:16.0:server"}}},{"category":"product_name","name":"openSUSE Tumbleweed","product":{"name":"openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed","product_identification_helper":{"cpe":"cpe:/o:opensuse:tumbleweed"}}},{"category":"product_version","name":"govulncheck-vulndb-0.0.20241213T205935-1.1","product":{"name":"govulncheck-vulndb-0.0.20241213T205935-1.1","product_id":"govulncheck-vulndb-0.0.20241213T205935-1.1","product_identification_helper":{"purl":"pkg:rpm/suse/govulncheck-vulndb@0.0.20241213T205935-1.1?upstream=govulncheck-vulndb-0.0.20241213T205935-1.1.src.rpm"}}},{"category":"product_version","name":"govulncheck-vulndb-0.0.20250814T182633-160000.1.2","product":{"name":"govulncheck-vulndb-0.0.20250814T182633-160000.1.2","product_id":"govulncheck-vulndb-0.0.20250814T182633-160000.1.2","product_identification_helper":{"purl":"pkg:rpm/suse/govulncheck-vulndb@0.0.20250814T182633-160000.1.2?upstream=govulncheck-vulndb-0.0.20250814T182633-160000.1.2.src.rpm"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"govulncheck-vulndb-0.0.20250814T182633-160000.1.2 as component of SUSE Linux Enterprise Server 16.0","product_id":"SUSE Linux Enterprise Server 16.0:govulncheck-vulndb-0.0.20250814T182633-160000.1.2"},"product_reference":"govulncheck-vulndb-0.0.20250814T182633-160000.1.2","relates_to_product_reference":"SUSE Linux Enterprise Server 16.0"},{"category":"default_component_of","full_product_name":{"name":"govulncheck-vulndb-0.0.20241213T205935-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1"},"product_reference":"govulncheck-vulndb-0.0.20241213T205935-1.1","relates_to_product_reference":"openSUSE Tumbleweed"}]},"vulnerabilities":[{"cve":"CVE-2024-53257","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2024-53257"}],"notes":[{"category":"general","text":"Vitess is a database clustering system for horizontal scaling of MySQL. The /debug/querylogz and /debug/env pages for vtgate and vttablet do not properly escape user input. The result is that queries executed by Vitess can write HTML into the monitoring page at will. These pages are rendered using text/template instead of rendering with a proper HTML templating engine. This vulnerability is fixed in 21.0.1, 20.0.4, and 19.0.8.","title":"CVE description"}],"product_status":{"recommended":["SUSE Linux Enterprise Server 16.0:govulncheck-vulndb-0.0.20250814T182633-160000.1.2","openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1"]},"references":[{"category":"external","summary":"CVE-2024-53257","url":"https://www.suse.com/security/cve/CVE-2024-53257"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"Advisory link for openSUSE-SU-2024:14599-1","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QTUY324RV3FFZBHVIWDHRCIOPJHIJIN4/"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["SUSE Linux Enterprise Server 16.0:govulncheck-vulndb-0.0.20250814T182633-160000.1.2","openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1"]}],"threats":[{"category":"impact","date":"2024-12-03T17:01:54Z","details":"moderate"}],"title":"CVE-2024-53257"}]}