| { |
| "schema_version": "1.4.0", |
| "id": "GHSA-7fxj-fr3v-r9gj", |
| "modified": "2022-11-24T01:13:44Z", |
| "published": "2022-11-04T19:01:17Z", |
| "aliases": [ |
| "CVE-2022-3023" |
| ], |
| "summary": "TiDB vulnerable to Use of Externally-Controlled Format String", |
| "details": "TiDB server (importer CLI tool) prior to version 6.4.0 \u0026 6.1.3 is vulnerable to data source name injection. The database name for generating and inserting data into a database does not properly sanitize user input which can lead to arbitrary file reads.\"", |
| "affected": [ |
| { |
| "package": { |
| "ecosystem": "Go", |
| "name": "github.com/pingcap/tidb" |
| }, |
| "ranges": [ |
| { |
| "type": "ECOSYSTEM", |
| "events": [ |
| { |
| "introduced": "0" |
| }, |
| { |
| "last_affected": "6.1.2" |
| } |
| ] |
| } |
| ] |
| }, |
| { |
| "package": { |
| "ecosystem": "Go", |
| "name": "github.com/pingcap/tidb" |
| }, |
| "ranges": [ |
| { |
| "type": "ECOSYSTEM", |
| "events": [ |
| { |
| "introduced": "6.2.0" |
| }, |
| { |
| "last_affected": "6.4.0-alpha1" |
| } |
| ] |
| } |
| ] |
| } |
| ], |
| "severity": [ |
| { |
| "type": "CVSS_V3", |
| "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" |
| } |
| ], |
| "references": [ |
| { |
| "type": "ADVISORY", |
| "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3023" |
| }, |
| { |
| "type": "WEB", |
| "url": "https://github.com/pingcap/tidb/commit/d0376379d615cc8f263a0b17c031ce403c8dcbfb" |
| }, |
| { |
| "type": "WEB", |
| "url": "https://advisory.dw1.io/45" |
| }, |
| { |
| "type": "PACKAGE", |
| "url": "https://github.com/pingcap/tidb" |
| }, |
| { |
| "type": "WEB", |
| "url": "https://huntr.dev/bounties/120f1346-e958-49d0-b66c-0f889a469540" |
| } |
| ], |
| "database_specific": { |
| "cwe_ids": [ |
| "CWE-134" |
| ], |
| "github_reviewed": true, |
| "github_reviewed_at": "2022-11-04T20:48:44Z", |
| "nvd_published_at": "2022-11-04T12:15:00Z", |
| "severity": "CRITICAL" |
| } |
| } |
