Improper Input Validation of `-database` Parameter

Low

dm-2 published GHSA-rrp4-2xx3-mv29

Jan 31, 2022

Package

gh-ost (Go)

Affected versions

<= 1.1.2

Patched versions

1.1.3

Description

Gh-ost version <= 1.1.2 allows users to inject DSN strings via the -database parameter.

This is a low severity vulnerability as the attacker must have access to the target host or trick an administrator into executing a malicious gh-ost command on a host running gh-ost, plus network access from host running gh-ost to the attack's malicious MySQL server.

Impact

This issue may lead to arbitrary local file read.

Patches

Fixed in 1.1.3+.

Workarounds

None

References

https://advisory.dw1.io/51

For more information

If you have any questions or comments about this advisory:

Open an issue in github/gh-ost

Weaknesses

CWE-20

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. Learn more on MITRE.

CWE-99

Improper Control of Resource Identifiers ('Resource Injection')

The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. Learn more on MITRE.

CWE-141

Improper Neutralization of Parameter/Argument Delimiters

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as parameter or argument delimiters when they are sent to a downstream component. Learn more on MITRE.