CVE-2022-21687

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-21687
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-21687.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-21687
Aliases
Published
2022-02-01T11:56:17Z
Modified
2026-03-14T11:26:06.542291Z
Severity
  • 6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N CVSS Calculator
Summary
Command injection in gh-ost
Details

gh-ost is a triggerless online schema migration solution for MySQL. Versions prior to 1.1.3 are subject to an arbitrary file read vulnerability. The attacker must have access to the target host or trick an administrator into executing a malicious gh-ost command on a host running gh-ost, plus network access from host running gh-ost to the attack's malicious MySQL server. The -database parameter does not properly sanitize user input which can lead to arbitrary file reads.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/21xxx/CVE-2022-21687.json"
}
References

Affected packages

Git / github.com/github/gh-ost

Affected ranges

Type
GIT
Repo
https://github.com/github/gh-ost
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
627c3c7aaf1d9ba0db29b5829d67e401bbedccda
Fixed
a91ab042de013cfd8fbb633763438932d9080d8f
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.1.3"
        }
    ]
}

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-21687.json"