7.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-31011

GHSA ID

GHSA-4whx-7p29-mq22

EPSS Score

0.22696%

CWE

CWE-287

Published

6/6/2022

Updated

2/1/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-31011

CVE-2022-31011: TiDB authentication bypass vulnerability

Impact

Under certain conditions, an attacker can construct malicious authentication requests to bypass the authentication process, resulting in privilege escalation or unauthorized access. Only users using TiDB 5.3.0 are affected by this vulnerability.

Patches

Please upgrade to TiDB 5.3.1 or higher version

Workarounds

You can also mitigate risks by taking the following measures. Option 1: Turn off SEM (Security Enhanced Mode). Option 2: Disable local login for non-root accounts and ensure that the same IP cannot be logged in as root or normal user at the same time.

References

https://en.pingcap.com/download/

For more information

If you have any questions or comments about this advisory:

Email us at security@tidb.io

(GitHub Advisory)

7.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-31011

GHSA ID

GHSA-4whx-7p29-mq22

EPSS Score

0.22696%

CWE

CWE-287

Published

6/6/2022

Updated

2/1/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/pingcap/tidb	go	= 5.3.0	5.3.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The provided information does not contain concrete technical details about the vulnerable code path or specific functions. While the vulnerability relates to authentication bypass in Security Enhanced Mode (SEM), there are no commit diffs, patch details, or code references that explicitly identify vulnerable functions. The workaround suggestions and CWE-287 classification indicate a logic flaw in authentication handling when SEM is enabled, but insufficient technical details prevent confident identification of specific functions. The absence of GitHub patch information and commit diffs makes it impossible to perform code-level analysis to pinpoint vulnerable functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Un**r **rt*in *on*itions, *n *tt**k*r **n *onstru*t m*li*ious *ut**nti**tion r*qu*sts to *yp*ss t** *ut**nti**tion pro**ss, r*sultin* in privil*** *s**l*tion or un*ut*oriz** ****ss. Only us*rs usin* Ti** *.*.* *r* *****t** *y t*is vuln*r**

Reasoning

T** provi*** in*orm*tion *o*s not *ont*in *on*r*t* t***ni**l **t*ils **out t** vuln*r**l* *o** p*t* or sp**i*i* *un*tions. W*il* t** vuln*r**ility r*l*t*s to *ut**nti**tion *yp*ss in S**urity *n**n*** Mo** (S*M), t**r* *r* no *ommit *i**s, p*t** **t*

7.8

Basic Information

Concerned about an active attack path?

CVE-2022-31011: TiDB authentication bypass vulnerability

Impact

Patches

Workarounds

References

For more information

7.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI