CVE-2023-52286
Description
Tencent tdsqlpcloud through 1.8.5 allows unauthenticated remote attackers to discover database credentials via an index.php/api/install/get_db_info request, a related issue to CVE-2023-42387.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Tencent/tdsqlpclouddescription
- Range: <=1.8.5
Patches
Vulnerability mechanics
Root cause
"The get_db_info() function in install.php exposes sensitive database credentials without proper authentication."
Attack vector
An unauthenticated remote attacker can send a request to the index.php/api/install/get_db_info endpoint. This request triggers the get_db_info() function, which by default outputs the database's IP, port, and account credentials. This allows for sensitive information leakage, as demonstrated by the example URL provided [ref_id=1].
Affected code
The vulnerability lies within the install.php file, specifically in the get_db_info() function. This function is accessible through an unauthorized interface, allowing attackers to retrieve database configuration details [ref_id=1].
What the fix does
The advisory does not provide details on the specific patch or fix implemented. However, it indicates that the vulnerability is related to an earlier issue, CVE-2023-42387. The recommended remediation is to update to a version that addresses this vulnerability, implying that access control or sanitization measures have been added to prevent unauthorized information disclosure.
Preconditions
- authThe attacker does not require any authentication to exploit this vulnerability.
- networkThe attacker must have network access to the target server.
Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.