Authentication bypass using an alternate path or channel in MySQL Connectors

#VU19264 Authentication bypass using an alternate path or channel in MySQL Connectors

Published: 2019-07-19

Vulnerability identifier: #VU19264

Vulnerability risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-3258

CWE-ID: CWE-288

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
MySQL Connectors
Hardware solutions / Drivers

Vendor: Oracle

Description

The vulnerability allows an attacker to operate the product.

The vulnerability exists due to the access control bypass in the in the "Connector/J" component. A remote authenticated attacker with network access via multiple protocols can takeover the MySQL Connectors.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

MySQL Connectors: 2.0.4 - 8.0.12

External links
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Authentication bypass using an alternate path or channel in Oracle MySQL Connectors