Skip to main content

CVE-2022-21687: n/a in n/a

Medium
VulnerabilityCVE-2022-21687cvecve-2022-21687
Published: Tue Feb 01 2022 (02/01/2022, 11:56:17 UTC)
Source: CVE
Vendor/Project: n/a
Product: n/a

Description

gh-ost is a triggerless online schema migration solution for MySQL. Versions prior to 1.1.3 are subject to an arbitrary file read vulnerability. The attacker must have access to the target host or trick an administrator into executing a malicious gh-ost command on a host running gh-ost, plus network access from host running gh-ost to the attack's malicious MySQL server. The `-database` parameter does not properly sanitize user input which can lead to arbitrary file reads.

AI-Powered Analysis

AILast updated: 07/06/2025, 23:24:48 UTC

Technical Analysis

CVE-2022-21687 is a medium-severity vulnerability affecting versions of gh-ost prior to 1.1.3. Gh-ost is a tool used for online schema migrations in MySQL databases without requiring triggers, facilitating seamless database schema changes. The vulnerability arises from improper input sanitization of the '-database' parameter, which allows an attacker to perform arbitrary file reads on the host running gh-ost. Exploitation requires the attacker to have access to the target host or to trick an administrator into executing a malicious gh-ost command. Additionally, the host running gh-ost must have network access to a malicious MySQL server controlled by the attacker. The vulnerability is classified under CWE-20 (Improper Input Validation). The CVSS v3.1 score is 6.8, indicating a medium severity level, with an attack vector of network, low attack complexity, high privileges required, no user interaction, and a scope change. The impact primarily affects confidentiality, allowing unauthorized reading of files on the host system, but does not affect integrity or availability. No known exploits in the wild have been reported, and no official patches are linked in the provided information, though upgrading to version 1.1.3 or later is implied as a remediation step.

Potential Impact

For European organizations, this vulnerability poses a significant risk to the confidentiality of sensitive data stored on servers running vulnerable versions of gh-ost. Since gh-ost is used in MySQL schema migrations, organizations relying on MySQL databases for critical applications could have their internal files exposed if an attacker gains the necessary access or successfully tricks an administrator. This could lead to leakage of configuration files, credentials, or other sensitive information, potentially facilitating further attacks. The requirement for high privileges and network access limits the attack surface but does not eliminate risk, especially in complex enterprise environments where administrators may execute migration commands remotely or where lateral movement within networks is possible. The scope change in the CVSS vector indicates that the vulnerability could affect resources beyond the initially compromised component, increasing potential impact. Given the widespread use of MySQL and related tools in European enterprises across sectors such as finance, healthcare, and government, the confidentiality breach could have regulatory and reputational consequences under GDPR and other data protection frameworks.

Mitigation Recommendations

European organizations should immediately verify if gh-ost is deployed in their environments and identify the versions in use. Upgrading gh-ost to version 1.1.3 or later, where this vulnerability is addressed, is the primary mitigation step. Organizations should enforce strict access controls to limit who can execute gh-ost commands, ensuring only trusted administrators have such privileges. Implementing multi-factor authentication and just-in-time access can reduce the risk of credential misuse. Network segmentation should be employed to restrict the gh-ost host's ability to connect to untrusted or external MySQL servers, minimizing the risk of an attacker-controlled MySQL server interaction. Administrators should be trained to recognize and avoid executing suspicious or unverified migration commands. Additionally, monitoring and logging of gh-ost command executions and network connections can help detect and respond to exploitation attempts. Regular security audits and vulnerability scanning should include checks for outdated gh-ost versions and improper input sanitization issues.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2021-11-16T00:00:00.000Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682d981ec4522896dcbdbe72

Added to database: 5/21/2025, 9:08:46 AM

Last enriched: 7/6/2025, 11:24:48 PM

Last updated: 8/12/2025, 11:23:39 AM

Views: 10

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats