Technical Advisories

On this page Carat arrow pointing down

Technical advisories report major issues with CockroachDB or the CockroachDB Cloud platform that may impact security or stability in production environments.

Users are invited to evaluate advisories and consider the recommended mitigation actions independently from their version upgrade schedule.

Get future technical advisories emailed to you:

Advisory Summary Affected versions Date
A-123371 Changefeeds could drop events during the initial scan in some cases, causing changefeed consumers to receive incomplete data. v22.2, v23.1.0 to v23.1.21, v23.2.0 to v23.2.5, and testing versions of v24.1 through v24.1.0-rc.1 June 17, 2024
A-104309 In rare cases, a rangefeed bug may cause a checkpoint to be emitted prematurely, before all writes below the checkpoint timestamp have been emitted. v2.1.11 to v22.2.17, v23.1.0 to v23.1.14, v23.2.0 February 21, 2024
A-114393 A bug could cause a query plan to skip scanning rows from the local region when performing a lookup join with a REGIONAL BY ROW table as the input. v23.1.0 to v23.1.12, and pre-release versions v23.1.0-beta.1, v23.1.0-beta.2, v23.1.0-beta.3, v23.1.0-rc.1, and v23.1.0-rc.2 December 5, 2023
A-190483 Queries reading a table that uses at least one explicit column family in its definition and was restored from a backup using version v22.2.7 to v22.2.13 or v23.1.0 to v23.1.8 may return errors or incorrect results. v22.2.7 to v22.2.13, v23.1.0 to v23.1.8 September 22, 2023
A-110363 Clusters using row-level TTL and upgraded from v22.2.x to 23.1.9 may experience nodes crashing due to the erroneous deletion of a necessary metadata field. Clusters running v22.2.x upgrading to v23.1.9 September 12, 2023
A-106617 When the encryption-at-rest registry rolls over, the append-only log file contains a bug that could result in loss of the store. v21.2.x, ≤ 22.1.21, ≤ 22.2.12, ≤ 23.1.7 August 15, 2023
A-99561 When adding a new column using the new declarative schema changer, CockroachDB retrieves a unique secondary index mistakenly, assuming it to be a primary index. v22.2.x, v23.1.0 to v23.1.5 July 18, 2023
A-103220 Inserting rows into a multi-column-family table with COPY can corrupt the table, making future reads fail with internal errors. v23.1.0-alpha.1 to v23.1.0 May 16, 2023
A-102375 Some customers may experience spurious privilege errors when trying to run queries due to a bug in the query cache. v22.1.19 and v22.2.8 May 11, 2023
A-101963 In specific circumstances, a RESTORE operation may restore incorrect data from a backup that contains incorrect metadata related to revision history. v22.2.0 to v22.2.8 and v22.1.0 to 22.1.19 May 9, 2023
A-99796 After upgrading to CockroachDB v22.2.0-v22.2.7, a bug could cause primary index corruption when an ALTER TABLE..ADD COLUMN statement executes concurrently with an UPDATE or INSERT command, and the schema change fails and is rolled back. v22.2.0 to v22.2.7 April 17, 2023
A-99049 Non-admin SQL users with an authenticated HTTP session could download statement diagnostic bundles given a bundle URL from the DB Console or SQL shell with a valid HTTP session cookie. v21.2.x, v22.1.0 to v22.1.16, v22.2.0 to v22.2.6 March 29, 2023
A-98779 A restore job can potentially skip some data files upon resumption of an in-progress RESTORE, which could lead to missing rows after the job succeeds. v22.2.6 March 29, 2023
A-97932 The SCRAM protocol had a high default hash count causing connection latency spikes for clients running on limited CPU. v22.2.0 to v22.2.6 March 29, 2023
A-97090 Queries planned with a zigzag join could produce incorrect results if the two indexes used for the join had a matching suffix of index key columns where the direction was different between the two indexes. v19.1 to v22.1.15, v22.2.0 to v22.2.5 March 6, 2023
A-96924 When executing ALTER TABLE DROP COLUMN of a column used in a partial index, all DML statements referencing the table fail with an error during the delete-only phase. v20.2.0 to v22.1.15, v22.2.0-v22.2.5 March 6, 2023
A-93398 Altering a non-empty table to add a column with a DEFAULT expression in which the type of the expression did not match the type of the new column could cause the column to become corrupted. v22.2.0-alpha.1 to v22.2.3 March 1, 2023
A-97178 Clusters that are upgraded to v22.2.4 when a previous upgrade to v22.2.x has not been finalized exhibit a bug that prevents non-admin users from connecting to the cluster. v22.2.4 February 16, 2023
A-96465 The global NOSQLLOGIN privilege does not restrict SQL access as it should. v22.2.0-v22.2.3 February 6, 2023
A-96029 CockroachDB may display higher than expected values for histogram metrics when calculating quantiles. v22.2.0 - v22.2.3 January 27, 2023
C20230118 CockroachDB Cloud users with the Developer role could perform SQL admin-like operations using a specific internal DB Console API. CockroachDB Cloud from November 2022 - January 2023 January 18, 2023
A-93314 CockroachDB crashes when a user-defined function is created using any implicit record type which contains a column of user-defined ENUM type as the function’s parameter type or return type. v22.2.0 and v22.2.1 January 4, 2023
A-90146 Changefeeds using the initial_scan='only' or schema_change_policy='stop' options may incorrectly complete with a successful status under certain circumstances. v22.1.6 to v22.1.9 December 20, 2022
A-88042 A RESTORE of an incremental backup may include rows that should not be restored, in a narrow set of circumstances relating to an ongoing IMPORT INTO job. v22.1.0 to v22.1.8 and v21.2.0 to v21.2.16 October 24, 2022
A-88993 A query with ORDER BY and LIMIT clauses could return incorrect results if it scanned a multi-column index containing the ORDER BY columns, and a prefix of the index columns was held fixed to two or more constant values by the query filter or schema. v22.1.0 to v22.1.8 October 17, 2022
A-88047 Querying a REGIONAL BY ROW or partitioned multi-region table could produce incorrect results if the query has a LIMIT of less than 100,000 and uses an inverted index. v22.1.0 to v22.1.7 September 29, 2022
A-84144 Multi-region tables whose locality has been altered to REGIONAL BY ROW are at risk of being corrupted v22.1.0 to v22.1.3 July 19, 2022
A-82576 Adding a column to a table which references a sequence, or creating a table with columns referencing sequences, adds an incomplete back-reference to the sequence metadata. v22.1.0 to v22.1.2 July 18, 2022
A-82079 If a CREATE MATERIALIZED VIEW statement fails, all objects referenced in its SELECT query will be unusable. v21.2.0 to v21.2.12, v22.1.0 July 18, 2022
A-81448 Secondary indexes containing columns that are not null, have a volatile default expression, and are present in one or more secondary indexes will have inconsistent values relative to the primary index, which can lead to incorrect query results. v21.1.x, v21.2.0 to v21.2.12, v22.1.0 June 28, 2022
A-81968 Left outer joins and correlated subqueries can produce incorrect results. v22.1.0 June 6, 2022
A-82309 During or after an upgrade from CockroachDB v21.2.x to v22.1.0, existing changefeeds will stop emitting data. v22.1.0-alpha.1 to v22.1.0 June 3, 2022
A-81315 Prepared SELECT queries that filter a column with a constant casted to the wrong type fail to return the expected results v21.2.0 to v21.2.10, v22.1.0-alpha.1 to v22.1.0 May 23, 2022
A-79066 Data key rotation is inadvertently disabled if the store key hasn't changed since the last node start All clusters with encryption-at-rest enabled running versions of CockroachDB v20.2.x, v21.1.0 to v21.1.18, and v21.2.0 to v21.2.9. May 2, 2022
A-79384 The optimizer has been found to create logically incorrect query plans in some cases. v21.1.0 to v21.1.17, v21.2.0 to v21.2.8, v22.1.0-alpha.1 to v22.1.0-beta.1 April 14, 2022
A-79281 Importing duplicate keys can cause violations of UNIQUE constraints v21.2.0 to v21.2.7, 22.1.0-alpha.1-22.1.0-alpha.5, v22.1.0-beta.1. April 12, 2022
A-78681 The optimizer has been found to create logically incorrect query plans in some cases. v21.1.0 to v21.1.16, v21.2.0 to v21.1.7, 22.1.0-alpha.1-22.1.0-alpha.5 April 11, 2022
A-76522 The optimizer can omit ON conditions of joins in query plans, causing incorrect results. v20.2.0 to v20.2.19, v21.1.0 to v21.1.15, v21.2.0 to v21.2.6 March 9, 2022
A-75758 Users without the appropriate permissions may cancel any other users' sessions from the DB Console v20.2.0 to v20.2.18, v21.1.0 to v21.1.13, v21.2.0 to v21.2.4 February 10, 2022
A-74736 Queries can miss rows in a primary or unique index that is being scanned, causing incorrect query results. v21.2.0 to v21.2.4 February 7, 2022
A-74385 Partial indexes can be corrupted by UPDATE statements, resulting in incorrect query results for any queries that use the partial index v21.1 and v21.2 prior to v21.1.13 and v21.2.4 January 6, 2022
CVE-2021-44228 No Cockroach Labs products or services are affected by the recent CVE-2021-44228 Apache Log4j vulnerability. None December 14, 2021
A-73629 Planning queries over partitioned tables with a DEFAULT partition in a PARTITION BY LIST clause could cause a spurious internal error v21.1 and v21.2 prior to v21.1.13 and v21.2.3 December 14, 2021
A-73024 The optimizer could plan queries that use semi-joins against multi-region REGIONAL BY ROW tables incorrectly v21.2.0 November 29, 2021
A-72839 Backups fail during upgrade process v21.2.0 November 18, 2021
A-71553 SQL statements that used secondary unique indexes that were created as a result of an ALTER PRIMARY KEY statement can return incorrect results. v20.2, v21.1 November 8, 2021
A-71655 Zigzag joins could potentially produce incorrect results v19.2, v20.1, v20.2, v21.1 November 2, 2021
A-71002 CockroachDB v21.1.9 drops WHERE predicates from prepared statements in specific circumstances v21.1.9 October 7, 2021
A-69874 CockroachDB v21.1.8 can not be downgraded v21.1.8 September 7, 2021
A-68005 sql.trace.txn.enable_threshold cluster setting causes crash loops v21.1.0 to v21.1.6 August 20, 2021
A-62842 TRUNCATE TABLE during CREATE/ALTER INDEX can cause data corruption v20.2.0 to v20.2.8 July 29, 2021
A-64325 Race condition between reads and replica removal v20.1 and later May 3, 2021
A-63162 Invalid incremental backups under certain circumstances v19.1.0 to v19.1.11, v19.2.0 to v19.2.12, v20.1.0 to v20.1.14, v20.2.0 to v20.2.7 April 30, 2021
A-58932 HTTP requests can cause full-cluster denial of service (DoS) v19.2.0 to v19.2.11, v20.1.0 to v20.1.10, v20.2.0 to v20.2.3 February 2, 2021
A-56116 Incorrect timezone calculations with "slim" zoneinfo format All October 29, 2020
A-54418 Incorrect behavior with large batch UPSERTs v20.1.4, v20.1.5 September 24, 2020
A-50587 TRUNCATE prevents table renaming v19.1.0 to v19.1.10, v19.2.0 to v19.2.8 July 6, 2020
A-48860 Data corruption/loss issue with snapshots and delete range v2.1.0 to v2.1.9, v19.1.0 to v19.1.8, v19.2.0 to v19.2.6 May 20, 2020
A-44348 Data leak in statement details v2.1.0 to v2.1.11, v19.1.0 to v19.1.7, v19.2.0 to v19.2.3 February 12, 2020
A-44299 Schema changes may cause cluster unavailability v19.1.0 to v19.1.7, v19.2.0 to v19.2.3 February 12, 2020
A-44166 SHOW JOBS and Jobs page can endanger cluster stability v19.2.0 to v19.2.2 February 12, 2020
A-43870 HTTP authentication for non-Enterprise users v2.1.10-onward, v19.1.6-onward, v19.2.2 January 22, 2020
A-42567 HTTP endpoint vulnerability v2.1.0 to v2.1.8, v19.1.0 to v19.1.5, v19.2.0 to v19.2.1 January 22, 2020
A-30821 Authentication bypass for internal RPCs v1.1.0 to v1.1.8, v2.0.0 to v2.0.4 October 1, 2018

Yes No
On this page

Yes No