blob: 9145d7b68cbe1942c63e69e7b334c560dba93d70 [file] [log] [blame]
id: GO-TEST-ID
modules:
- module: github.com/pingcap/tidb
versions:
- introduced: 6.2.0
unsupported_versions:
- version: 6.1.2
type: last_affected
- version: 6.4.0-alpha1
type: last_affected
summary: TiDB vulnerable to Use of Externally-Controlled Format String
description: |-
TiDB server (importer CLI tool) prior to version 6.4.0 & 6.1.3 is vulnerable to
data source name injection. The database name for generating and inserting data
into a database does not properly sanitize user input which can lead to
arbitrary file reads."
cves:
- CVE-2022-3023
ghsas:
- GHSA-7fxj-fr3v-r9gj
references:
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-3023
- fix: https://github.com/pingcap/tidb/commit/d0376379d615cc8f263a0b17c031ce403c8dcbfb
- web: https://advisory.dw1.io/45
- web: https://huntr.dev/bounties/120f1346-e958-49d0-b66c-0f889a469540
notes:
- lint: 'modules[0] "github.com/pingcap/tidb": unsupported_versions: found 2 (want none)'
- lint: 'modules[0] "github.com/pingcap/tidb": version 6.2.0 does not exist'
- lint: 'summary: must contain an affected module or package path (e.g. "github.com/pingcap/tidb")'