Vulnerability Reportpingcap/tidb:v8.5.6

pingcap/tidb:v8.5.6

DIGESTsha256:7124cad80d39ead55d76017635a9820d3c4d3cbd4b1f0824aaffe4b899fac677

Executive Summary

Threat ScoreDANGEROUS• Image contains 63 exposed vulnerabilities, including 2 critical-severity (CVSS >= 7.0) with a maximum CVSS of 8.33.• CVE-2022-3023 (CVSS 8.33) is a format string vulnerability in the TiDB application itself, enabling remote code execution without authentication.• CVE-2026-33186 (CVSS 7.73) is a gRPC authorization bypass that could allow unauthorized access to protected services.• Although the image is from a popular publisher (pingcap, 8M+ pulls) and pinned by digest, the severe vulnerabilities outweigh trust.

88/100DANGEROUS

ReputationPOPULAR COMMUNITY• High Reputation Community Image (8M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker could achieve remote code execution on the TiDB server via CVE-2022-3023, or bypass authorization in gRPC services via CVE-2026-33186, leading to data breaches or service disruption. These vulnerabilities are remotely exploitable without authentication and require immediate remediation.

Vulnerabilities

Vulnerability Log

106 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2022-3023	HIGH8.33	github.com/pingcap/tidb v1.1.0-beta.0.20260413061245-ae18096e0237 No fix yet	0.6% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-33186	HIGH7.73	google.golang.org/grpc v1.63.2 fixed in 1.79.3	0.5% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-45186	MEDIUM6.38	expat 2.5.0-5.el9_7.1 fixed in 2.5.0-6.el9_8.1	0.5% Theoretical Threat	Directly Exposed
CVE-2026-33846	MEDIUM6.38	gnutls 3.8.3-10.el9_7 fixed in 3.8.10-4.el9_8	0.9% Theoretical Threat	Directly Exposed
CVE-2026-42009	MEDIUM6.38	gnutls 3.8.3-10.el9_7 fixed in 3.8.10-4.el9_8	0.8% Theoretical Threat	Directly Exposed
CVE-2026-4424	MEDIUM6.38	libarchive 3.5.3-7.el9_7 fixed in 3.5.3-9.el9_7	0.9% Theoretical Threat	Directly Exposed
CVE-2026-34183	MEDIUM6.38	openssl-libs 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.5% Theoretical Threat	Directly Exposed
CVE-2026-41602	MEDIUM6.38	github.com/apache/thrift v0.21.0 fixed in 0.23.0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-32280	MEDIUM6.38	stdlib v1.25.8 fixed in 1.25.9, 1.26.2	0.4% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-32281	MEDIUM6.38	stdlib v1.25.8 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-32283	MEDIUM6.38	stdlib v1.25.8 fixed in 1.25.9, 1.26.2	0.4% Theoretical Threat	Directly Exposed
CVE-2026-33811	MEDIUM6.38	stdlib v1.25.8 fixed in 1.25.10, 1.26.3	0.5% Theoretical Threat	Directly Exposed
CVE-2026-33814	MEDIUM6.38	stdlib v1.25.8 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Directly Exposed
CVE-2026-39820	MEDIUM6.38	stdlib v1.25.8 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Directly Exposed
CVE-2026-39836	MEDIUM6.38	stdlib v1.25.8 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Directly Exposed
CVE-2026-3833	MEDIUM6.29	gnutls 3.8.3-10.el9_7 fixed in 3.8.10-4.el9_8	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42011	MEDIUM6.29	gnutls 3.8.3-10.el9_7 fixed in 3.8.10-4.el9_8	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34182	MEDIUM6.29	openssl-libs 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42012	MEDIUM6.03	gnutls 3.8.3-10.el9_7 fixed in 3.8.10-4.el9_8	0.3% Theoretical Threat	Directly Exposed
CVE-2026-4786	MEDIUM6.03	python3-libs 3.9.25-3.el9_7.1 fixed in 3.9.25-7.el9_8	0.2% Theoretical Threat	Directly Exposed
CVE-2026-4878	MEDIUM5.95	libcap 2.48-10.el9 fixed in 2.48-10.el9_7.1	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42014	MEDIUM5.61	gnutls 3.8.3-10.el9_7 fixed in 3.8.10-4.el9_8	0.2% Theoretical Threat	Directly Exposed
CVE-2025-14512	MEDIUM5.52	glib2 2.68.4-18.el9_7.1 fixed in 2.68.4-19.el9_8.1	0.5% Theoretical Threat	Directly Exposed
CVE-2026-4437	MEDIUM5.52	glibc 2.34-231.el9_7.10 fixed in 2.34-270.el9_8	0.3% Theoretical Threat	Directly Exposed
CVE-2026-4437	MEDIUM5.52	glibc-common 2.34-231.el9_7.10 fixed in 2.34-270.el9_8	0.3% Theoretical Threat	Directly Exposed
CVE-2026-4437	MEDIUM5.52	glibc-minimal-langpack 2.34-231.el9_7.10 fixed in 2.34-270.el9_8	0.3% Theoretical Threat	Directly Exposed
CVE-2026-32282	MEDIUM5.44	stdlib v1.25.8 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34181	MEDIUM5.35	openssl-libs 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42768	MEDIUM5.35	openssl-libs 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.4% Theoretical Threat	Directly Exposed
CVE-2026-32289	MEDIUM5.18	stdlib v1.25.8 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-40355	MEDIUM5.02	krb5-libs 1.21.1-8.el9_6 fixed in 1.21.1-10.el9_8	0.5% Theoretical Threat	Directly Exposed
CVE-2026-40356	MEDIUM5.02	krb5-libs 1.21.1-8.el9_6 fixed in 1.21.1-10.el9_8	0.5% Theoretical Threat	Directly Exposed
CVE-2026-42764	MEDIUM5.02	openssl-libs 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.7% Theoretical Threat	Directly Exposed
CVE-2026-42769	MEDIUM5.02	openssl-libs 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42770	MEDIUM5.02	openssl-libs 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.2% Theoretical Threat	Directly Exposed
CVE-2026-9076	MEDIUM5.02	openssl-libs 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.3% Theoretical Threat	Directly Exposed
CVE-2026-31790	MEDIUM5.02	openssl-libs 1:3.5.1-7.el9_7 fixed in 1:3.5.5-2.el9_8	1.0% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	openssl-libs 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.3% Theoretical Threat	Directly Exposed
CVE-2024-37820	MEDIUM4.67	github.com/pingcap/tidb v1.1.0-beta.0.20260413061245-ae18096e0237 fixed in 8.2.0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-32288	MEDIUM4.67	stdlib v1.25.8 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-39826	MEDIUM4.59	stdlib v1.25.8 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	glibc 2.34-231.el9_7.10 fixed in 2.34-270.el9_8	0.4% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	glibc-common 2.34-231.el9_7.10 fixed in 2.34-270.el9_8	0.4% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	glibc-minimal-langpack 2.34-231.el9_7.10 fixed in 2.34-270.el9_8	0.4% Theoretical Threat	Directly Exposed
CVE-2026-42015	MEDIUM4.5	gnutls 3.8.3-10.el9_7 fixed in 3.8.10-4.el9_8	0.7% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	openssl-libs 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	openssl-libs 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42507	MEDIUM4.5	stdlib v1.25.8 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	openssl-libs 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.5% Theoretical Threat	Directly Exposed
CVE-2026-28421	LOW3.98	vim-minimal 2:8.2.2637-23.el9_7 fixed in 2:8.2.2637-23.el9_7.2	0.2% Theoretical Threat	Post-Exploit
CVE-2026-33412	LOW3.72	vim-minimal 2:8.2.2637-23.el9_7 fixed in 2:8.2.2637-23.el9_7.2	0.7% Theoretical Threat	Post-Exploit
CVE-2026-25749	LOW3.72	vim-minimal 2:8.2.2637-23.el9_7 fixed in 2:8.2.2637-23.el9_7.1	0.2% Theoretical Threat	Post-Exploit
CVE-2026-35177	LOW3.62	vim-minimal 2:8.2.2637-23.el9_7 fixed in 2:8.2.2637-26.el9_8.5	0.1% Theoretical Threat	Post-Exploit
CVE-2026-4438	LOW3.4	glibc 2.34-231.el9_7.10 fixed in 2.34-270.el9_8	0.2% Theoretical Threat	Directly Exposed
CVE-2026-4438	LOW3.4	glibc-common 2.34-231.el9_7.10 fixed in 2.34-270.el9_8	0.2% Theoretical Threat	Directly Exposed
CVE-2026-4438	LOW3.4	glibc-minimal-langpack 2.34-231.el9_7.10 fixed in 2.34-270.el9_8	0.2% Theoretical Threat	Directly Exposed
CVE-2026-34181	LOW3.21	openssl 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.2% Theoretical Threat	Post-Exploit
CVE-2026-42768	LOW3.21	openssl 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.4% Theoretical Threat	Post-Exploit
CVE-2023-39975	LOW3.17	krb5-libs 1.21.1-8.el9_6 fixed in 1.21.1-10.el9_8	1.2% Low-Moderate Risk	Post-Exploit
CVE-2026-3832	LOW3.15	gnutls 3.8.3-10.el9_7 fixed in 3.8.10-4.el9_8	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5419	LOW3.15	gnutls 3.8.3-10.el9_7 fixed in 3.8.10-4.el9_8	0.5% Theoretical Threat	Directly Exposed
CVE-2026-45446	LOW3.15	openssl-libs 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42764	LOW3.01	openssl 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.7% Theoretical Threat	Post-Exploit
CVE-2026-42769	LOW3.01	openssl 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.3% Theoretical Threat	Post-Exploit
CVE-2026-42770	LOW3.01	openssl 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.2% Theoretical Threat	Post-Exploit
CVE-2026-9076	LOW3.01	openssl 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.3% Theoretical Threat	Post-Exploit
CVE-2025-14087	LOW3	glib2 2.68.4-18.el9_7.1 fixed in 2.68.4-19.el9_8.1	0.8% Theoretical Threat	Post-Exploit
CVE-2026-42010	LOW3	gnutls 3.8.3-10.el9_7 fixed in 3.8.10-4.el9_8	0.8% Theoretical Threat	Post-Exploit
CVE-2026-45447	LOW2.92	openssl 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	1.4% Low-Moderate Risk	Post-Exploit
CVE-2026-45447	LOW2.92	openssl-libs 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	1.4% Low-Moderate Risk	Post-Exploit
CVE-2026-28417	LOW2.81	vim-minimal 2:8.2.2637-23.el9_7 fixed in 2:8.2.2637-23.el9_7.2	1.2% Low-Moderate Risk	Post-Exploit
CVE-2026-7383	LOW2.8	openssl 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.3% Theoretical Threat	Post-Exploit
CVE-2026-4519	LOW2.8	python3-libs 3.9.25-3.el9_7.1 fixed in 3.9.25-7.el9_8	0.2% Theoretical Threat	Directly Exposed
CVE-2026-33845	LOW2.78	gnutls 3.8.3-10.el9_7 fixed in 3.8.10-4.el9_8	0.6% Theoretical Threat	Post-Exploit
CVE-2026-45445	LOW2.78	openssl 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.3% Theoretical Threat	Post-Exploit
CVE-2026-45445	LOW2.78	openssl-libs 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.3% Theoretical Threat	Post-Exploit
CVE-2026-5121	LOW2.7	libarchive 3.5.3-7.el9_7 fixed in 3.5.3-9.el9_7	1.1% Low-Moderate Risk	Post-Exploit
CVE-2026-2100	LOW2.7	p11-kit 0.25.3-3.el9_5 fixed in 0.26.2-1.el9	1.0% Low-Moderate Risk	Post-Exploit
CVE-2026-2100	LOW2.7	p11-kit-trust 0.25.3-3.el9_5 fixed in 0.26.2-1.el9	1.0% Low-Moderate Risk	Post-Exploit
CVE-2026-32952	LOW2.7	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 fixed in 0.1.1	1.0% Low-Moderate Risk	Post-Exploit
CVE-2026-42766	LOW2.7	openssl 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.6% Theoretical Threat	Post-Exploit
CVE-2026-42767	LOW2.7	openssl 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.3% Theoretical Threat	Post-Exploit
CVE-2026-34180	LOW2.55	openssl 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.5% Theoretical Threat	Post-Exploit
CVE-2026-42013	LOW2.51	gnutls 3.8.3-10.el9_7 fixed in 3.8.10-4.el9_8	0.4% Theoretical Threat	Post-Exploit
CVE-2026-5260	LOW2.51	gnutls 3.8.3-10.el9_7 fixed in 3.8.10-4.el9_8	0.7% Theoretical Threat	Post-Exploit
CVE-2026-34982	LOW2.51	vim-minimal 2:8.2.2637-23.el9_7 fixed in 2:8.2.2637-26.el9_8.4	0.4% Theoretical Threat	Post-Exploit
CVE-2026-6100	LOW2.48	python3 3.9.25-3.el9_7.1 fixed in 3.9.25-7.el9_8	0.5% Theoretical Threat	Post-Exploit
CVE-2026-6100	LOW2.48	python3-libs 3.9.25-3.el9_7.1 fixed in 3.9.25-7.el9_8	0.5% Theoretical Threat	Post-Exploit
CVE-2026-29111	LOW2.39	systemd-libs 252-55.el9_7.7.rocky.0.1 fixed in 252-67.el9_8.2.rocky.0.1	0.1% Theoretical Threat	Post-Exploit
CVE-2023-36054	LOW2.34	krb5-libs 1.21.1-8.el9_6 fixed in 1.21.1-10.el9_8	2.1% Low-Moderate Risk	Post-Exploit
CVE-2026-27135	LOW2.29	libnghttp2 1.43.0-6.el9 fixed in 1.43.0-6.el9_7.1	0.6% Theoretical Threat	Post-Exploit
CVE-2026-34183	LOW2.29	openssl 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.5% Theoretical Threat	Post-Exploit
CVE-2026-28390	LOW2.29	openssl 1:3.5.1-7.el9_7 fixed in 1:3.5.5-3.el9_8	0.8% Theoretical Threat	Post-Exploit
CVE-2026-28390	LOW2.29	openssl-libs 1:3.5.1-7.el9_7 fixed in 1:3.5.5-3.el9_8	0.8% Theoretical Threat	Post-Exploit
CVE-2026-34182	LOW2.26	openssl 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.2% Theoretical Threat	Post-Exploit
CVE-2026-4786	LOW2.17	python3 3.9.25-3.el9_7.1 fixed in 3.9.25-7.el9_8	0.2% Theoretical Threat	Post-Exploit
CVE-2026-45446	LOW1.89	openssl 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.2% Theoretical Threat	Post-Exploit
CVE-2026-31790	LOW1.81	openssl 1:3.5.1-7.el9_7 fixed in 1:3.5.5-2.el9_8	1.0% Theoretical Threat	Post-Exploit
CVE-2026-4519	LOW1.68	python3 3.9.25-3.el9_7.1 fixed in 3.9.25-7.el9_8	0.2% Theoretical Threat	Post-Exploit
GHSA-xmrv-pmrh-hhx2	NONE0	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.0 fixed in 1.7.8	—	Not Applicable
GHSA-xmrv-pmrh-hhx2	NONE0	github.com/aws/aws-sdk-go-v2/service/s3 v1.87.1 fixed in 1.97.3	—	Not Applicable
CVE-2026-39823	NONE0	stdlib v1.25.8 fixed in 1.25.10, 1.26.3	0.3% Theoretical Threat	Not Applicable
CVE-2026-39825	NONE0	stdlib v1.25.8 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-42499	NONE0	stdlib v1.25.8 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-42504	NONE0	stdlib v1.25.8 fixed in 1.25.11, 1.26.4	0.4% Theoretical Threat	Not Applicable
CVE-2026-27145	NONE0	stdlib v1.25.8 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable