Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS03ZnhqLWZyM3Ytcjlnas4AAvtj

Critical EPSS: 0.00171% (0.38667 Percentile) EPSS:
Permalink JSON

TiDB vulnerable to Use of Externally-Controlled Format String

Affected Packages Affected Versions Fixed Versions
go:github.com/pingcap/tidb
PURL: pkg:go/github.com%2Fpingcap%2Ftidb
>= 6.2.0, <= 6.4.0-alpha1, <= 6.1.2 No known fixed version
364 Dependent packages
501 Dependent repositories

Affected Version Ranges

All affected versions

v1.0.0, v1.0.1, v1.0.2, v1.0.3, v1.0.4, v1.0.5, v1.0.6, v1.0.7, v1.0.8, v1.0.9, v1.1.0-alpha, v1.1.0-alpha.1, v1.1.0-beta, v2.0.0+incompatible, v2.0.0-rc.1+incompatible, v2.0.0-rc.3+incompatible, v2.0.0-rc.4+incompatible, v2.0.0-rc.5+incompatible, v2.0.0-rc.6+incompatible, v2.0.1+incompatible, v2.0.2+incompatible, v2.0.3+incompatible, v2.0.4+incompatible, v2.0.5+incompatible, v2.0.6+incompatible, v2.0.7+incompatible, v2.0.8+incompatible, v2.0.9+incompatible, v2.0.10+incompatible, v2.0.10-binlog+incompatible, v2.0.11+incompatible, v2.0.11-binlog+incompatible, v2.1.0-alpha+incompatible, v2.1.0-beta+incompatible, v2.1.0-rc.1+incompatible, v2.1.0-rc.2+incompatible, v2.1.0-rc.3+incompatible, v2.1.0-rc.4+incompatible, v2.1.0-rc.5+incompatible

TiDB server (importer CLI tool) prior to version 6.4.0 & 6.1.3 is vulnerable to data source name injection. The database name for generating and inserting data into a database does not properly sanitize user input which can lead to arbitrary file reads."

References:

Identifiers

GHSA-7fxj-fr3v-r9gj

CVE-2022-3023

Risk

Severity

Critical

EPSS

EPSS Percentage: 0.00171

EPSS Percentile: 0.38667

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/pingcap/tidb

Date and time

Published

about 3 years ago

Updated

7 days ago

API

JSON