GHSA-7fxj-fr3v-r9gj

Source

https://github.com/advisories/GHSA-7fxj-fr3v-r9gj

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-7fxj-fr3v-r9gj/GHSA-7fxj-fr3v-r9gj.json

Aliases

CVE-2022-3023

Published

2022-11-04T19:01:17Z

Modified

2023-11-08T04:09:17.076487Z

Details

TiDB server (importer CLI tool) prior to version 6.4.0 & 6.1.3 is vulnerable to data source name injection. The database name for generating and inserting data into a database does not properly sanitize user input which can lead to arbitrary file reads."

References

https://nvd.nist.gov/vuln/detail/CVE-2022-3023
https://github.com/pingcap/tidb/commit/d0376379d615cc8f263a0b17c031ce403c8dcbfb
https://advisory.dw1.io/45
https://github.com/pingcap/tidb
https://huntr.dev/bounties/120f1346-e958-49d0-b66c-0f889a469540

Affected packages

Go / github.com/pingcap/tidb

Package

Name: github.com/pingcap/tidb

Affected ranges

Type: SEMVER
Events: Introduced

0The exact introduced commit is unknown

Last affected

6.1.2