CVE-2022-21687: Command injection in gh-ost
First published: Tue Feb 01 2022(Updated: )
gh-ost is a triggerless online schema migration solution for MySQL. Versions prior to 1.1.3 are subject to an arbitrary file read vulnerability. The attacker must have access to the target host or trick an administrator into executing a malicious gh-ost command on a host running gh-ost, plus network access from host running gh-ost to the attack's malicious MySQL server. The `-database` parameter does not properly sanitize user input which can lead to arbitrary file reads.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Github Gh-ost | <1.1.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2022-21687?
CVE-2022-21687 refers to an arbitrary file read vulnerability in gh-ost, a triggerless online schema migration solution for MySQL.
How does CVE-2022-21687 impact gh-ost?
CVE-2022-21687 allows an attacker with access to the target host or tricking an administrator into executing a malicious command to read arbitrary files on a host running gh-ost.
What are the affected versions of gh-ost for CVE-2022-21687?
Versions prior to 1.1.3 of gh-ost are affected by CVE-2022-21687.
What is the severity of CVE-2022-21687?
CVE-2022-21687 has a severity rating of medium with a CVSS score of 6.5.
How can I fix the vulnerability CVE-2022-21687?
To fix the vulnerability CVE-2022-21687, it is recommended to update gh-ost to version 1.1.3 or later.
- collector/nvd-index
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/title
- agent/severity
- agent/author
- agent/last-modified-date
- agent/weakness
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- vendor/github
- canonical/github gh-ost