Home > Vulnerability Database > CVE-2022-21687

Mend.io Vulnerability Database

CVE-2022-21687

Good to know:

Date: February 1, 2022

gh-ost is a triggerless online schema migration solution for MySQL. Versions prior to 1.1.3 are subject to an arbitrary file read vulnerability. The attacker must have access to the target host or trick an administrator into executing a malicious gh-ost command on a host running gh-ost, plus network access from host running gh-ost to the attack's malicious MySQL server. The `-database` parameter does not properly sanitize user input which can lead to arbitrary file reads.

Language: Go

Severity Score

6.5

Related Resources (5)

Url: https://github.com/github/gh-ost/commit/a91ab042de013cfd8fbb633763438932d9080d8f

Url: https://github.com/github/gh-ost/security/advisories/GHSA-rrp4-2xx3-mv29

Url: https://github.com/advisories/GHSA-rrp4-2xx3-mv29

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-21687

Url: https://www.mend.io/vulnerability-database/CVE-2022-21687

Severity Score

6.5

Weakness Type (CWE)

Input Validation

CWE-20

Top Fix

Upgrade Version

Upgrade to version v1.1.3

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

CVSS v2

Base Score:	4.3
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	NONE
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2022-21687

Good to know:

Date: February 1, 2022

Language: Go

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?