TiDB Vulnerability Disclosure

A potential buffer overflow was reported in the (*Column).GetDecimal component. This issue can cause a single query to fail when using RemoveUnnecessaryFirstRow, as it checks expressions between Agg and GroupBy without validating the return type. This does not result in a Denial of Service (DoS) for other users. The impact is limited to the failing query and reflects a complex query handling bug rather than a service-wide disruption.

A buffer overflow was identified in TiDB’s expression.ExplainExpressionList component. While it appeared that a crafted input might cause a Denial of Service (DoS), PingCAP’s analysis confirmed that the issue does not lead to service interruption or broader security risks. Instead, it is classified as a complex query bug rather than a DoS vulnerability.

A nil pointer dereference was discovered in TiDB within the expression.inferCollation function. This issue may cause specific SQL statements to return errors, but it does not impact other connections or users, nor does it result in a denial-of-service condition.

A NULL pointer dereference was discovered in TiDB within the SortedRowContainer component. This issue may cause a single query to fail and the corresponding session to disconnect, but it does not affect other connections or users.

A buffer overflow vulnerability was discovered in TiDB, which could cause a single user connection to crash. The client can automatically reconnect by resending the command, and this issue does not affect other users or lead to a broader denial-of-service condition.

In certain versions, the TiDB Dashboard component may, after cluster startup, allow local port status to be inferred through internal debugging-related interfaces, which could result in an information disclosure risk.

 In certain versions, the component opens an internal TCP communication port after startup. This port does not enforce strict access control or authentication, which under specific conditions may allow unauthorized access and potentially lead to data being queried or modified.

TiDB server (importer CLI tool) prior to version 6.4.0 & 6.1.3 is vulnerable to data source name injection. The database name for generating and inserting data into a database does not properly sanitize user input which can lead to arbitrary file reads.

Under certain conditions, an attacker can construct malicious authentication requests to bypass the authentication process, resulting in privilege escalation or unauthorized access. Only users using TiDB 5.3.0 are affected by this vulnerability. TiDB version 5.3.1 contains a patch for this issue. Other mitigation strategies include turning off Security Enhanced Mode (SEM), disabling local login for non-root accounts, and ensuring that the same IP cannot be logged in as root and normal user at the same time.