Miggo Logo
Miggo Vulnerability Database
CVE-2022-3023

CVE-2022-3023: TiDB vulnerable to Use of Externally-Controlled Format String

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-3023
GHSA ID
GHSA-7fxj-fr3v-r9gj
EPSS Score
0.26509%
CWE
CWE-134
Published
11/4/2022
Updated
2/3/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/pingcap/tidbgo<= 6.1.2
github.com/pingcap/tidbgo>= 6.2.0, <= 6.4.0-alpha1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unsafe DSN construction using user-controlled input. The createDB function directly interpolated the database name into the DSN string, allowing attackers to inject MySQL parameters. The ToDSN method concatenated connection parameters (including user-controlled Vars) without proper URL encoding, enabling format string manipulation. The patches replaced DSN string building with structured mysql.Config usage to prevent injection, confirming these were the vulnerable paths. The PoC demonstrates exploitation via parameter injection in database names, directly implicating these functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Ti** s*rv*r (import*r *LI tool) prior to v*rsion *.*.* & *.*.* is vuln*r**l* to **t* sour** n*m* inj**tion. T** **t***s* n*m* *or **n*r*tin* *n* ins*rtin* **t* into * **t***s* *o*s not prop*rly s*nitiz* us*r input w*i** **n l*** to *r*itr*ry *il* r**

Reasoning

T** vuln*r**ility st*ms *rom uns*** *SN *onstru*tion usin* us*r-*ontroll** input. T** *r**t*** *un*tion *ir**tly int*rpol*t** t** **t***s* n*m* into t** *SN strin*, *llowin* *tt**k*rs to inj**t MySQL p*r*m*t*rs. T** To*SN m*t*o* *on**t*n*t** *onn**ti