HTAP Summit 2024 session replays are now live!Access Session Replays

At PingCAP, we attach great importance to product-related security issues. If you find a security vulnerability when you use or test our product, we encourage you to report the issue to the TiDB security team immediately.

Report a vulnerability

If you have discovered a vulnerability in a TiDB product or have encountered a security incident involving a TiDB product vulnerability, please report it to the TiDB security team at security@pingcap.com.

Please provide as much information about the vulnerability as possible in the following format (* indicates a required item):

  • Vulnerability title*:
  • Overview*:
  • Affected component and version number*:
  • CVE number (if available):
  • Vulnerability validation process*:
  • Contact information*:

The TiDB security team will confirm the vulnerability and contact you within two business days after your submission.

Warning: Please do not use the vulnerability to download or obtain data beyond the proof of exploit, to delete, or modify user data. These are regarded as malicious attacks.

Out of scope

The following situations do not qualify as security vulnerabilities:

  • Physical attacks
  • Social engineering attacks or proximity attacks
  • Missing HTTP security headers or enabling specific HTTP methods
  • Email Sender Policy Framework (SPF) issues
  • Brute force attacks on any API interface
  • Website page clickjacking
  • HTML content injection
  • Disclosure of the robots.txt file
  • Email spoofing
  • Error messages about the page
  • Golang or JavaScript function error
  • No rate limit for the API interface
  • Leak of nonsensitive files
  • Disruption of service caused by a Distributed Denial of Service (DDoS) attack or HTTP flood attacks
  • Leak of server version information
  • Weak password policy or database hash salting issues
  • A Secure Socket Layer (SSL) version or Transport Layer Security (TLS) version that is too low
  • Dependent third-party components are vulnerable but cannot be verified

Confidentiality policy

After fixing a security vulnerability, we will publicly thank the person who reported it. However, to avoid negative consequences and in accordance with legal requirements, please keep the vulnerability information confidential until the vulnerability is fixed. We would also appreciate it if you could observe the following code of conduct:

  • Do not disclose the vulnerability to the public or to third parties until PingCAP releases a patch. Depending on the type of the vulnerability, the time and process to fix it will vary. Therefore, all the parties involved must negotiate the proper time to disclose the vulnerability based on their research and judgment.
  • To avoid improper use of the vulnerability, do not disclose detailed information about the vulnerability, such as the vulnerability exploitation code.
  • Comply with intellectual property protection laws, regulations, and trade secret agreements.

Disclosure of fixed vulnerabilities

Vulnerability name
Affected component
CVSS
Affected version
Fixed version
Issue description
TiFlash opens redundant ports
TiFlash Server
CVSS v3 score:8.2 => High severity
4.0.0 <= TiFlash < 7.1.0
Redundant HTTP ports are opened by default in TiFlash deployment.
SSRF Vulnerability in TiDB Dashboard
TiDB Dashboard
CVSS v3 score:7.3 => High severity
7.2.0-DMR
7.3.0-DMR
<= 6.5.3
<= 7.1.1
7.4.0-DMR
>= 6.5.4
>= 7.1.2
>= 7.5.0
SSRF vulnerability allows an attacker to send malicious requests to the target server via a trusted server.
TiDB DSN injection
TiDB Server
CVSS v3
score: 9.8 => Critical severity
<= 6.1.2,
>= 6.2.0 & <= 6.4.0-alpha1
DSN injection vulnerability, may lead to arbitrary file reading.
TiFlash opens redundant ports

TiFlash
CVSS v3
score: 8.6 => High severity
>=4.0.0 & <7.1.0
7.1.0(TiUP>=v1.12.5 or TiDB Operator >= v1.5.0)
When deployed by default, TiFlash opens redundant ports.
TiDB authentication bypass vulnerability
TiDB Server
CVSS v3 score: 8.4 => High severity
5.3.0
Under certain conditions, users can exploit this vulnerability to bypass identity verification.
TiDB DML SQL execution vulnerability
TiDB Server
CVSS v3 score: 8.2 => High severity
<=4.0.14,
<=5.0.3,
<=5.1.1
There is a SQL injection vulnerability in the TiDB http status service, through which an attacker can gain database permissions
TiDB caching_sha2_password bypasses password authentication login
TiDB Server
CVSS v3 score: 7.6 => High severity
<=4.0.6
Under certain conditions, users can bypass the authentication mechanism of caching_sha2_password to log in to TiDB