Anyone with read/write access to the backup storage location (e.g. an S3 bucket) can manipulate backup manifest files so that files in the manifest — which may be files that they have also added to the manifest and backup contents — are written to any accessible location on restore. This is a common Path Traversal security issue. This can be used to provide that attacker with unintended/unauthorized access to the production deployment environment — allowing them to access information available in that environment as well as run any additional arbitrary commands there.
v23.0.3 and v22.0.4
https://github.com/vitessio/vitess/pull/19470
0.22.40.23.3Exploitability
AV:NAC:LAT:NPR:HUI:PVulnerable System
VC:HVI:HVA:LSubsequent System
SC:LSI:HSA:H9.3/CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:L/SC:L/SI:H/SA:H