x/vulndb: potential Go vuln in github.com/github/gh-ost: CVE-2022-21687 #298

GoVulnBot · 2022-02-05T00:01:28Z

In CVE-2022-21687, the reference URL github.com/github/gh-ost (and possibly others) refers to something in Go.

Commit: github/gh-ost@a91ab04

module: github.com/github/gh-ost
package: n/a
description: |
    gh-ost is a triggerless online schema migration solution for MySQL. Versions prior to 1.1.3 are subject to an arbitrary file read vulnerability. The attacker must have access to the target host or trick an administrator into executing a malicious gh-ost command on a host running gh-ost, plus network access from host running gh-ost to the attack's malicious MySQL server. The `-database` parameter does not properly sanitize user input which can lead to arbitrary file reads.
cves:
  - CVE-2022-21687
links:
    commit: https://github.com/github/gh-ost/commit/a91ab042de013cfd8fbb633763438932d9080d8f
    context:
      - https://github.com/github/gh-ost/security/advisories/GHSA-rrp4-2xx3-mv29

See doc/triage.md for instructions on how to triage this report.

The text was updated successfully, but these errors were encountered:

neild · 2022-07-07T18:48:56Z

Vulnerability in tool.

gopherbot · 2024-06-14T20:00:48Z

Change https://go.dev/cl/592766 mentions this issue: data/reports: unexclude 50 reports

gopherbot · 2024-08-20T19:43:23Z

Change https://go.dev/cl/607215 mentions this issue: data/reports: unexclude 20 reports (13)

- data/reports/GO-2022-0231.yaml - data/reports/GO-2022-0249.yaml - data/reports/GO-2022-0250.yaml - data/reports/GO-2022-0260.yaml - data/reports/GO-2022-0261.yaml - data/reports/GO-2022-0270.yaml - data/reports/GO-2022-0278.yaml - data/reports/GO-2022-0281.yaml - data/reports/GO-2022-0291.yaml - data/reports/GO-2022-0295.yaml - data/reports/GO-2022-0298.yaml - data/reports/GO-2022-0302.yaml - data/reports/GO-2022-0303.yaml - data/reports/GO-2022-0304.yaml - data/reports/GO-2022-0305.yaml - data/reports/GO-2022-0306.yaml - data/reports/GO-2022-0307.yaml - data/reports/GO-2022-0308.yaml - data/reports/GO-2022-0309.yaml - data/reports/GO-2022-0310.yaml Updates #231 Updates #249 Updates #250 Updates #260 Updates #261 Updates #270 Updates #278 Updates #281 Updates #291 Updates #295 Updates #298 Updates #302 Updates #303 Updates #304 Updates #305 Updates #306 Updates #307 Updates #308 Updates #309 Updates #310 Change-Id: Idffc4951124598d58d8ebf3b1c44fc141f192639 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/607215 Reviewed-by: Damien Neil <dneil@google.com> Auto-Submit: Tatiana Bradley <tatianabradley@google.com> Commit-Queue: Tatiana Bradley <tatianabradley@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

julieqiu assigned FiloSottile Feb 22, 2022

julieqiu added the cve-year-2022 label Feb 23, 2022

julieqiu unassigned FiloSottile May 5, 2022

neild self-assigned this Jul 7, 2022

neild closed this as completed Jul 7, 2022

neild added the NotGoVuln label Jul 7, 2022

neild added excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable. and removed NotGoVuln labels Aug 11, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/github/gh-ost: CVE-2022-21687 #298

x/vulndb: potential Go vuln in github.com/github/gh-ost: CVE-2022-21687 #298

GoVulnBot commented Feb 5, 2022

neild commented Jul 7, 2022

gopherbot commented Jun 14, 2024

gopherbot commented Aug 20, 2024

x/vulndb: potential Go vuln in github.com/github/gh-ost: CVE-2022-21687 #298

x/vulndb: potential Go vuln in github.com/github/gh-ost: CVE-2022-21687 #298

Comments

GoVulnBot commented Feb 5, 2022

neild commented Jul 7, 2022

gopherbot commented Jun 14, 2024

gopherbot commented Aug 20, 2024