pingcap tidb up to 6.1.2/6.3.x format string

Summaryinfo

A vulnerability, which was classified as critical, has been found in pingcap tidb up to 6.1.2/6.3.x. This impacts an unknown function. The manipulation leads to format string. This vulnerability is traded as CVE-2022-3023. An attack has to be approached locally. There is no exploit available. It is advisable to upgrade the affected component.

Detailsinfo

A vulnerability, which was classified as problematic, has been found in pingcap tidb up to 6.1.2/6.3.x. This issue affects an unknown functionality. The manipulation with an unknown input leads to a format string vulnerability. Using CWE to declare the problem leads to CWE-134. The product uses a function that accepts a format string as an argument, but the format string originates from an external source. Impacted is confidentiality. The summary by CVE is:

Use of Externally-Controlled Format String in GitHub repository pingcap/tidb prior to 6.4.0, 6.1.3.

The weakness was shared 11/04/2022. The advisory is shared at huntr.dev. The identification of this vulnerability is CVE-2022-3023 since 08/29/2022. It demands that the victim is doing some kind of user interaction. Neither technical details nor an exploit are publicly available.

Upgrading to version 6.1.3 or 6.4.0 eliminates this vulnerability.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Vendor

• pingcap

Name

• tidb

Version

• 6.0
• 6.1
• 6.1.0
• 6.1.1
• 6.1.2
• 6.2
• 6.3

License

• open-source

Website

• Product: https://github.com/pingcap/tidb/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion