Multiple vulnerabilities in MySQL Server



Published: 2022-01-19
Risk Medium
Patch available YES
Number of vulnerabilities 30
CVE-ID CVE-2022-21372
CVE-2022-21249
CVE-2022-21265
CVE-2022-21245
CVE-2022-21368
CVE-2022-21303
CVE-2022-21344
CVE-2022-21304
CVE-2022-21370
CVE-2022-21342
CVE-2022-21339
CVE-2022-21297
CVE-2022-21264
CVE-2022-21253
CVE-2022-21374
CVE-2022-21362
CVE-2022-21379
CVE-2022-21256
CVE-2022-21270
CVE-2022-21348
CVE-2022-21254
CVE-2022-21302
CVE-2022-21378
CVE-2022-21301
CVE-2022-21367
CVE-2022-21352
CVE-2022-21358
CVE-2022-21351
CVE-2022-21278
CVE-2021-22946
CWE-ID CWE-125
CWE-20
CWE-319
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
MySQL Server
Server applications / Database software

Vendor Oracle

Security Bulletin

This security bulletin contains information about 30 vulnerabilities.

1) Improper input validation

EUVDB-ID: #VU59808

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-21372

CWE-ID: CWE-125 - Out-of-bounds Read

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform service disruption.

The vulnerability exists due to improper input validation within the Server: Security: Encryption component in MySQL Server. A remote privileged user can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MySQL Server: 8.0.0 - 8.0.27


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujan2022.html?1416

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

2) Improper input validation

EUVDB-ID: #VU59807

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-21249

CWE-ID: CWE-125 - Out-of-bounds Read

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform service disruption.

The vulnerability exists due to improper input validation within the Server: DDL component in MySQL Server. A remote privileged user can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MySQL Server: 8.0.0 - 8.0.27


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujan2022.html?1416

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

3) Improper input validation

EUVDB-ID: #VU59793

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-21265

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to manipulate or delete data.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to manipulate or delete data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MySQL Server: 8.0.0 - 8.0.27


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujan2022.html?1416

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

4) Improper input validation

EUVDB-ID: #VU59792

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-21245

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote authenticated user to manipulate data.

The vulnerability exists due to improper input validation within the Server: Security: Privileges component in MySQL Server. A remote authenticated user can exploit this vulnerability to manipulate data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MySQL Server: 5.7.0 - 5.7.36, 8.0.0 - 8.0.27


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujan2022.html?1416

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

5) Improper input validation

EUVDB-ID: #VU59791

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21368

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to read and manipulate data.

The vulnerability exists due to improper input validation within the Server: Components Services component in MySQL Server. A remote privileged user can exploit this vulnerability to read and manipulate data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MySQL Server: 8.0.0 - 8.0.27


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujan2022.html?1416

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

6) Improper input validation

EUVDB-ID: #VU59790

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21303

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Stored Procedure component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MySQL Server: 5.7.0 - 5.7.36, 8.0.0 - 8.0.27


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujan2022.html?1416

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

7) Improper input validation

EUVDB-ID: #VU59789

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21344

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Replication component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MySQL Server: 5.7.0 - 5.7.36, 8.0.0 - 8.0.27


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujan2022.html?1416

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

8) Improper input validation

EUVDB-ID: #VU59788

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21304

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Parser component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MySQL Server: 5.7.0 - 5.7.36, 8.0.0 - 8.0.27


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujan2022.html?1416

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

9) Improper input validation

EUVDB-ID: #VU59787

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21370

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MySQL Server: 8.0.0 - 8.0.27


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujan2022.html?1416

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

10) Improper input validation

EUVDB-ID: #VU59786

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21342

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MySQL Server: 8.0.0 - 8.0.27


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujan2022.html?1416

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

11) Improper input validation

EUVDB-ID: #VU59785

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21339

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MySQL Server: 8.0.0 - 8.0.27


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujan2022.html?1416

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

12) Improper input validation

EUVDB-ID: #VU59784

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21297

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MySQL Server: 8.0.0 - 8.0.26


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujan2022.html?1416

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

13) Improper input validation

EUVDB-ID: #VU59783

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21264

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MySQL Server: 8.0.0 - 8.0.27


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujan2022.html?1416

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

14) Improper input validation

EUVDB-ID: #VU59782

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21253

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MySQL Server: 8.0.0 - 8.0.27


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujan2022.html?1416

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

15) Improper input validation

EUVDB-ID: #VU59781

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21374

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Information Schema component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MySQL Server: 8.0.0 - 8.0.27


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujan2022.html?1416

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

16) Improper input validation

EUVDB-ID: #VU59780

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21362

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Information Schema component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MySQL Server: 8.0.0 - 8.0.27


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujan2022.html?1416

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

17) Improper input validation

EUVDB-ID: #VU59779

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21379

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Group Replication Plugin component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MySQL Server: 8.0.0 - 8.0.27


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujan2022.html?1416

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

18) Improper input validation

EUVDB-ID: #VU59778

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21256

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Group Replication Plugin component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MySQL Server: 8.0.0 - 8.0.27


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujan2022.html?1416

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

19) Improper input validation

EUVDB-ID: #VU59777

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21270

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Federated component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MySQL Server: 5.7.0 - 5.7.36, 8.0.0 - 8.0.27


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujan2022.html?1416

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

20) Improper input validation

EUVDB-ID: #VU59776

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21348

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the InnoDB component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MySQL Server: 8.0.0 - 8.0.27


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujan2022.html?1416

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

21) Improper input validation

EUVDB-ID: #VU59775

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21254

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote authenticated user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote authenticated user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MySQL Server: 8.0.0 - 8.0.27


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujan2022.html?1416

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

22) Improper input validation

EUVDB-ID: #VU59774

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21302

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote authenticated user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the InnoDB component in MySQL Server. A remote authenticated user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MySQL Server: 8.0.0 - 8.0.27


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujan2022.html?1416

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

23) Improper input validation

EUVDB-ID: #VU59773

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21378

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to damange or delete data.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to damange or delete data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MySQL Server: 8.0.0 - 8.0.27


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujan2022.html?1416

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

24) Improper input validation

EUVDB-ID: #VU59772

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21301

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to damange or delete data.

The vulnerability exists due to improper input validation within the Server: DML component in MySQL Server. A remote privileged user can exploit this vulnerability to damange or delete data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MySQL Server: 8.0.0 - 8.0.27


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujan2022.html?1416

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

25) Improper input validation

EUVDB-ID: #VU59771

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21367

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to damange or delete data.

The vulnerability exists due to improper input validation within the Server: Compiling component in MySQL Server. A remote privileged user can exploit this vulnerability to damange or delete data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MySQL Server: 5.7.0 - 5.7.36, 8.0.0 - 8.0.27


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujan2022.html?1416

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

26) Improper input validation

EUVDB-ID: #VU59770

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21352

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to damange or delete data.

The vulnerability exists due to improper input validation within the InnoDB component in MySQL Server. A remote privileged user can exploit this vulnerability to damange or delete data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MySQL Server: 8.0.0 - 8.0.26


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujan2022.html?1416

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

27) Improper input validation

EUVDB-ID: #VU59738

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21358

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote authenticated user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Security: Encryption component in MySQL Server. A remote authenticated user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MySQL Server: 8.0.0 - 8.0.27


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujan2022.html?1416

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

28) Improper input validation

EUVDB-ID: #VU59736

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21351

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote authenticated user to damange or delete data.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote authenticated user can exploit this vulnerability to damange or delete data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MySQL Server: 8.0.0 - 8.0.27


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujan2022.html?1416

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

29) Improper input validation

EUVDB-ID: #VU59735

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21278

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote authenticated user to damange or delete data.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote authenticated user can exploit this vulnerability to damange or delete data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MySQL Server: 8.0.0 - 8.0.26


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujan2022.html?1416

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

30) Cleartext transmission of sensitive information

EUVDB-ID: #VU56613

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-22946

CWE-ID: CWE-319 - Cleartext Transmission of Sensitive Information

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to an error, related to incorrect enforcement of the --ssl-reqd option on the command line or CURLOPT_USE_SSL setting set to CURLUSESSL_CONTROL or CURLUSESSL_ALL with libcurl. A remote attacker with control over the IMAP, POP3 or FTP server can send a specially crafted but perfectly legitimate response to the libcurl client and force it silently to continue its operations without TLS encryption and transmit data in clear text over the network.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MySQL Server: 5.7.0 - 5.7.36, 8.0.0 - 8.0.27


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujan2022.html?1416

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###