CVE-2022-31011
Last modified
CVE-2022-31011 is a high-severity vulnerability rated 7.8/10 on the CVSS scale. TiDB is an open-source NewSQL database that supports Hybrid Transactional and Analytical Processing (HTAP) workloads. Under certain conditions, an attacker can construct malicious authentication requests to bypass the authentication process, resulting in privilege escalation or unauthorized access. EPSS estimates a 0.31% chance of exploitation in the next 30 days.
Description
TiDB is an open-source NewSQL database that supports Hybrid Transactional and Analytical Processing (HTAP) workloads. Under certain conditions, an attacker can construct malicious authentication requests to bypass the authentication process, resulting in privilege escalation or unauthorized access. Only users using TiDB 5.3.0 are affected by this vulnerability. TiDB version 5.3.1 contains a patch for this issue. Other mitigation strategies include turning off Security Enhanced Mode (SEM), disabling local login for non-root accounts, and ensuring that the same IP cannot be logged in as root and normal user at the same time.
Metrics
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Pingcap | Tidb | 5.3.0 |
References
- https://github.com/pingcap/tidb/releases/tag/v5.3.1Release Notes, Third Party Advisory
- https://github.com/pingcap/tidb/security/advisories/GHSA-4whx-7p29-mq22Mitigation, Third Party Advisory
- https://github.com/pingcap/tidb/releases/tag/v5.3.1Release Notes, Third Party Advisory
- https://github.com/pingcap/tidb/security/advisories/GHSA-4whx-7p29-mq22Mitigation, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-31011?
How severe is CVE-2022-31011?
How do I fix CVE-2022-31011?
Are you affected by CVE-2022-31011?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST