First published: Tue Feb 01 2022(Updated: )
gh-ost is a triggerless online schema migration solution for MySQL. Versions prior to 1.1.3 are subject to an arbitrary file read vulnerability. The attacker must have access to the target host or trick an administrator into executing a malicious gh-ost command on a host running gh-ost, plus network access from host running gh-ost to the attack's malicious MySQL server. The `-database` parameter does not properly sanitize user input which can lead to arbitrary file reads.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Github Gh-ost | <1.1.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-21687 refers to an arbitrary file read vulnerability in gh-ost, a triggerless online schema migration solution for MySQL.
CVE-2022-21687 allows an attacker with access to the target host or tricking an administrator into executing a malicious command to read arbitrary files on a host running gh-ost.
Versions prior to 1.1.3 of gh-ost are affected by CVE-2022-21687.
CVE-2022-21687 has a severity rating of medium with a CVSS score of 6.5.
To fix the vulnerability CVE-2022-21687, it is recommended to update gh-ost to version 1.1.3 or later.