CVE-2022-21687: n/a in n/a
gh-ost is a triggerless online schema migration solution for MySQL. Versions prior to 1.1.3 are subject to an arbitrary file read vulnerability. The attacker must have access to the target host or trick an administrator into executing a malicious gh-ost command on a host running gh-ost, plus network access from host running gh-ost to the attack's malicious MySQL server. The `-database` parameter does not properly sanitize user input which can lead to arbitrary file reads.
AI Analysis
Technical Summary
CVE-2022-21687 is a medium-severity vulnerability affecting versions of gh-ost prior to 1.1.3. Gh-ost is a tool used for online schema migrations in MySQL databases without requiring triggers, facilitating seamless database schema changes. The vulnerability arises from improper input sanitization of the '-database' parameter, which allows an attacker to perform arbitrary file reads on the host running gh-ost. Exploitation requires the attacker to have access to the target host or to trick an administrator into executing a malicious gh-ost command. Additionally, the host running gh-ost must have network access to a malicious MySQL server controlled by the attacker. The vulnerability is classified under CWE-20 (Improper Input Validation). The CVSS v3.1 score is 6.8, indicating a medium severity level, with an attack vector of network, low attack complexity, high privileges required, no user interaction, and a scope change. The impact primarily affects confidentiality, allowing unauthorized reading of files on the host system, but does not affect integrity or availability. No known exploits in the wild have been reported, and no official patches are linked in the provided information, though upgrading to version 1.1.3 or later is implied as a remediation step.
Potential Impact
For European organizations, this vulnerability poses a significant risk to the confidentiality of sensitive data stored on servers running vulnerable versions of gh-ost. Since gh-ost is used in MySQL schema migrations, organizations relying on MySQL databases for critical applications could have their internal files exposed if an attacker gains the necessary access or successfully tricks an administrator. This could lead to leakage of configuration files, credentials, or other sensitive information, potentially facilitating further attacks. The requirement for high privileges and network access limits the attack surface but does not eliminate risk, especially in complex enterprise environments where administrators may execute migration commands remotely or where lateral movement within networks is possible. The scope change in the CVSS vector indicates that the vulnerability could affect resources beyond the initially compromised component, increasing potential impact. Given the widespread use of MySQL and related tools in European enterprises across sectors such as finance, healthcare, and government, the confidentiality breach could have regulatory and reputational consequences under GDPR and other data protection frameworks.
Mitigation Recommendations
European organizations should immediately verify if gh-ost is deployed in their environments and identify the versions in use. Upgrading gh-ost to version 1.1.3 or later, where this vulnerability is addressed, is the primary mitigation step. Organizations should enforce strict access controls to limit who can execute gh-ost commands, ensuring only trusted administrators have such privileges. Implementing multi-factor authentication and just-in-time access can reduce the risk of credential misuse. Network segmentation should be employed to restrict the gh-ost host's ability to connect to untrusted or external MySQL servers, minimizing the risk of an attacker-controlled MySQL server interaction. Administrators should be trained to recognize and avoid executing suspicious or unverified migration commands. Additionally, monitoring and logging of gh-ost command executions and network connections can help detect and respond to exploitation attempts. Regular security audits and vulnerability scanning should include checks for outdated gh-ost versions and improper input sanitization issues.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden
CVE-2022-21687: n/a in n/a
Description
gh-ost is a triggerless online schema migration solution for MySQL. Versions prior to 1.1.3 are subject to an arbitrary file read vulnerability. The attacker must have access to the target host or trick an administrator into executing a malicious gh-ost command on a host running gh-ost, plus network access from host running gh-ost to the attack's malicious MySQL server. The `-database` parameter does not properly sanitize user input which can lead to arbitrary file reads.
AI-Powered Analysis
Technical Analysis
CVE-2022-21687 is a medium-severity vulnerability affecting versions of gh-ost prior to 1.1.3. Gh-ost is a tool used for online schema migrations in MySQL databases without requiring triggers, facilitating seamless database schema changes. The vulnerability arises from improper input sanitization of the '-database' parameter, which allows an attacker to perform arbitrary file reads on the host running gh-ost. Exploitation requires the attacker to have access to the target host or to trick an administrator into executing a malicious gh-ost command. Additionally, the host running gh-ost must have network access to a malicious MySQL server controlled by the attacker. The vulnerability is classified under CWE-20 (Improper Input Validation). The CVSS v3.1 score is 6.8, indicating a medium severity level, with an attack vector of network, low attack complexity, high privileges required, no user interaction, and a scope change. The impact primarily affects confidentiality, allowing unauthorized reading of files on the host system, but does not affect integrity or availability. No known exploits in the wild have been reported, and no official patches are linked in the provided information, though upgrading to version 1.1.3 or later is implied as a remediation step.
Potential Impact
For European organizations, this vulnerability poses a significant risk to the confidentiality of sensitive data stored on servers running vulnerable versions of gh-ost. Since gh-ost is used in MySQL schema migrations, organizations relying on MySQL databases for critical applications could have their internal files exposed if an attacker gains the necessary access or successfully tricks an administrator. This could lead to leakage of configuration files, credentials, or other sensitive information, potentially facilitating further attacks. The requirement for high privileges and network access limits the attack surface but does not eliminate risk, especially in complex enterprise environments where administrators may execute migration commands remotely or where lateral movement within networks is possible. The scope change in the CVSS vector indicates that the vulnerability could affect resources beyond the initially compromised component, increasing potential impact. Given the widespread use of MySQL and related tools in European enterprises across sectors such as finance, healthcare, and government, the confidentiality breach could have regulatory and reputational consequences under GDPR and other data protection frameworks.
Mitigation Recommendations
European organizations should immediately verify if gh-ost is deployed in their environments and identify the versions in use. Upgrading gh-ost to version 1.1.3 or later, where this vulnerability is addressed, is the primary mitigation step. Organizations should enforce strict access controls to limit who can execute gh-ost commands, ensuring only trusted administrators have such privileges. Implementing multi-factor authentication and just-in-time access can reduce the risk of credential misuse. Network segmentation should be employed to restrict the gh-ost host's ability to connect to untrusted or external MySQL servers, minimizing the risk of an attacker-controlled MySQL server interaction. Administrators should be trained to recognize and avoid executing suspicious or unverified migration commands. Additionally, monitoring and logging of gh-ost command executions and network connections can help detect and respond to exploitation attempts. Regular security audits and vulnerability scanning should include checks for outdated gh-ost versions and improper input sanitization issues.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2021-11-16T00:00:00.000Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d981ec4522896dcbdbe72
Added to database: 5/21/2025, 9:08:46 AM
Last enriched: 7/6/2025, 11:24:48 PM
Last updated: 8/14/2025, 6:33:39 PM
Views: 11
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.