CVE-2022-21687 is a medium-severity vulnerability affecting versions of gh-ost prior to 1.1.3. Gh-ost is a tool used for online schema migrations in MySQL databases without requiring triggers, facilitating seamless database schema changes. The vulnerability arises from improper input sanitization of the '-database' parameter, which allows an attacker to perform arbitrary file reads on the host running gh-ost. Exploitation requires the attacker to have access to the target host or to trick an administrator into executing a malicious gh-ost command. Additionally, the host running gh-ost must have network access to a malicious MySQL server controlled by the attacker. The vulnerability is classified under CWE-20 (Improper Input Validation). The CVSS v3.1 score is 6.8, indicating a medium severity level, with an attack vector of network, low attack complexity, high privileges required, no user interaction, and a scope change. The impact primarily affects confidentiality, allowing unauthorized reading of files on the host system, but does not affect integrity or availability. No known exploits in the wild have been reported, and no official patches are linked in the provided information, though upgrading to version 1.1.3 or later is implied as a remediation step.

For European organizations, this vulnerability poses a significant risk to the confidentiality of sensitive data stored on servers running vulnerable versions of gh-ost. Since gh-ost is used in MySQL schema migrations, organizations relying on MySQL databases for critical applications could have their internal files exposed if an attacker gains the necessary access or successfully tricks an administrator. This could lead to leakage of configuration files, credentials, or other sensitive information, potentially facilitating further attacks. The requirement for high privileges and network access limits the attack surface but does not eliminate risk, especially in complex enterprise environments where administrators may execute migration commands remotely or where lateral movement within networks is possible. The scope change in the CVSS vector indicates that the vulnerability could affect resources beyond the initially compromised component, increasing potential impact. Given the widespread use of MySQL and related tools in European enterprises across sectors such as finance, healthcare, and government, the confidentiality breach could have regulatory and reputational consequences under GDPR and other data protection frameworks.

European organizations should immediately verify if gh-ost is deployed in their environments and identify the versions in use. Upgrading gh-ost to version 1.1.3 or later, where this vulnerability is addressed, is the primary mitigation step. Organizations should enforce strict access controls to limit who can execute gh-ost commands, ensuring only trusted administrators have such privileges. Implementing multi-factor authentication and just-in-time access can reduce the risk of credential misuse. Network segmentation should be employed to restrict the gh-ost host's ability to connect to untrusted or external MySQL servers, minimizing the risk of an attacker-controlled MySQL server interaction. Administrators should be trained to recognize and avoid executing suspicious or unverified migration commands. Additionally, monitoring and logging of gh-ost command executions and network connections can help detect and respond to exploitation attempts. Regular security audits and vulnerability scanning should include checks for outdated gh-ost versions and improper input sanitization issues.