Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN241 _____________________________________________________________________ DATE : 02/03/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running vitess (Go) versions prior to 22.0.4, 23.0.3. ===================================================================== https://github.com/vitessio/vitess/security/advisories/GHSA-r492-hjgh-c9gw https://github.com/vitessio/vitess/security/advisories/GHSA-8g8j-r87h-p36x _____________________________________________________________________ Users with backup storage access can write to arbitrary file paths on restore Critical mattlord published GHSA-r492-hjgh-c9gw Feb 25, 2026 Package No package listed Affected versions v22.0.3 and older, v23.0.0 to v23.0.2 Patched versions v22.0.4, v23.0.3 Description Impact Anyone with read/write access to the backup storage location (e.g. an S3 bucket) can manipulate backup manifest files so that files in the manifest — which may be files that they have also added to the manifest and backup contents — are written to any accessible location on restore. This is a common Path Traversal security issue. This can be used to provide that attacker with unintended/unauthorized access to the production deployment environment — allowing them to access information available in that environment as well as run any additional arbitrary commands there. Patches v23.0.3 and v22.0.4 Workarounds N/A References #19470 Severity Critical 9.3/ 10 CVSS v4 base metrics Exploitability Metrics Attack Vector Network Attack Complexity Low Attack Requirements None Privileges Required High User interaction Passive Vulnerable System Impact Metrics Confidentiality High Integrity High Availability Low Subsequent System Impact Metrics Confidentiality Low Integrity High Availability High CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:L/SC:L/SI:H/SA:H CVE ID CVE-2026-27969 Weaknesses Weakness CWE-22 Credits @NeuroWinter NeuroWinter Reporter _____________________________________________________________________ Users with backup storage access can gain unauthorized access to production deployment environments High mattlord published GHSA-8g8j-r87h-p36x Feb 25, 2026 Package No package listed Affected versions v22.0.3 and older, v23.0.0 to v23.0.2 Patched versions v22.0.4, v23.0.3 Description Impact Anyone with read/write access to the backup storage location (e.g. an S3 bucket) can manipulate backup manifest files so that arbitrary code is later executed when that backup is restored. This can be used to provide that attacker with unintended/unauthorized access to the production deployment environment — allowing them to access information available in that environment as well as run any additional arbitrary commands there. Patches v23.0.3 and v22.0.4 Workarounds If you intended to use an external decompressor then you can always specify that decompressor command in the --external-decompressor flag value for vttablet and vtbackup. That then overrides any value specified in the manifest file. If you did not intend to use an external decompressor, nor an internal one, then you can specify a value such as cat or tee in the --external-decompressor flag value for vttablet and vtbackup to ensure that a harmless command is always used. References You can read more about the issue here: #19459 Severity High 8.4/ 10 CVSS v4 base metrics Exploitability Metrics Attack Vector Network Attack Complexity Low Attack Requirements None Privileges Required High User interaction Passive Vulnerable System Impact Metrics Confidentiality High Integrity High Availability Low Subsequent System Impact Metrics Confidentiality Low Integrity Low Availability Low CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L CVE ID CVE-2026-27965 Weaknesses Weakness CWE-78 Credits @NeuroWinter NeuroWinter Reporter ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================