x/vulndb: potential Go vuln in github.com/pingcap/tidb: GHSA-9g6g-xqv5-8g5w

[GoVulnBot]

Advisory GHSA-9g6g-xqv5-8g5w references a vulnerability in the following Go modules:

Module
github.com/pingcap/tidb

Description:
A nil pointer dereference in PingCAP TiDB v8.2.0-alpha-216-gfe5858b allows attackers to crash the application via expression.inferCollation.

References:

• ADVISORY: GHSA-9g6g-xqv5-8g5w
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-37820
• FIX: pingcap/tidb@3d68bd2
• REPORT: invalid memory address or nil pointer dereference in expression.inferCollation pingcap/tidb#53580
• WEB: https://gist.github.com/ycybfhb/a9c1e14ce281f2f553adca84d384b761

Cross references:

• github.com/pingcap/tidb appears in 2 other report(s):
  • data/excluded/GO-2022-0469.yaml (x/vulndb: potential Go vuln in github.com/pingcap/tidb: CVE-2022-31011 #469) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1097.yaml (x/vulndb: potential Go vuln in github.com/pingcap/tidb: GHSA-7fxj-fr3v-r9gj #1097) NOT_IMPORTABLE

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/pingcap/tidb
      non_go_versions:
        - fixed: 8.2.0
      vulnerable_at: 1.0.9
summary: PingCAP TiDB nil pointer dereference in github.com/pingcap/tidb
cves:
    - CVE-2024-37820
ghsas:
    - GHSA-9g6g-xqv5-8g5w
references:
    - advisory: https://github.com/advisories/GHSA-9g6g-xqv5-8g5w
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-37820
    - fix: https://github.com/pingcap/tidb/commit/3d68bd21240c610c6307713e2bd54a5e71c32608
    - report: https://github.com/pingcap/tidb/issues/53580
    - web: https://gist.github.com/ycybfhb/a9c1e14ce281f2f553adca84d384b761
source:
    id: GHSA-9g6g-xqv5-8g5w
    created: 2024-11-22T00:01:27.085983723Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/632255 mentions this issue: data/reports: add 7 unreviewed reports