#VU8995 Information disclosure


Published: 2017-10-31

Vulnerability identifier: #VU8995

Vulnerability risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-10268

CWE-ID: CWE-200

Exploitation vector: Local

Exploit availability: No

Vulnerable software:

Vendor:

Description
The vulnerability allows a local high-privileged attacker to obtain potentially sensitive information on the target system.

The weakness exists due to an error in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). A local attacker can gain unauthorized access to critical data or complete access to all MySQL Server accessible data.

Successful exploitation of the vulnerability results in information disclosure.

Mitigation
Install update from vendor's website.

Vulnerable software versions

:

: 5.6.10 - 5.6.34, 5.7.11 - 5.7.16, 5.5.48 - 5.5.57

External links
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Red Hat update for mariadb
Information disclosure in mariadb (Alpine package)
SUSE Linux update for mariadb
Gentoo update for MySQL
Amazon Linux AMI update for mysql56, mysql57
Amazon Linux AMI update for mysql55
SUSE Linux update for mysql
Slackware Linux update for mariadb
Ubuntu update for MySQL
OpenSUSE Linux update for mysql-community-server