Source: mysql-8.0 Version: 8.0.33-2 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerabilities were published for mysql-8.0. CVE-2023-22058[0]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: DDL). Supported versions that are affected are | 8.0.33 and prior. Difficult to exploit vulnerability allows high | privileged attacker with network access via multiple protocols to | compromise MySQL Server. Successful attacks of this vulnerability | can result in unauthorized ability to cause a hang or frequently | repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score | 4.4 (Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2023-22057[1]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Replication). Supported versions that are | affected are 8.0.33 and prior. Easily exploitable vulnerability | allows high privileged attacker with network access via multiple | protocols to compromise MySQL Server. Successful attacks of this | vulnerability can result in unauthorized ability to cause a hang or | frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 | Base Score 4.9 (Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2023-22056[2]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Optimizer). Supported versions that are | affected are 8.0.33 and prior. Easily exploitable vulnerability | allows high privileged attacker with network access via multiple | protocols to compromise MySQL Server. Successful attacks of this | vulnerability can result in unauthorized ability to cause a hang or | frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 | Base Score 4.9 (Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2023-22054[3]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Optimizer). Supported versions that are | affected are 8.0.33 and prior. Easily exploitable vulnerability | allows high privileged attacker with network access via multiple | protocols to compromise MySQL Server. Successful attacks of this | vulnerability can result in unauthorized ability to cause a hang or | frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 | Base Score 4.9 (Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2023-22053[4]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Client programs). Supported versions that are affected | are 5.7.42 and prior and 8.0.33 and prior. Difficult to exploit | vulnerability allows low privileged attacker with network access via | multiple protocols to compromise MySQL Server. Successful attacks | of this vulnerability can result in unauthorized ability to cause a | hang or frequently repeatable crash (complete DOS) of MySQL Server | and unauthorized read access to a subset of MySQL Server accessible | data. CVSS 3.1 Base Score 5.9 (Confidentiality and Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H). CVE-2023-22048[5]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Pluggable Auth). Supported versions that are | affected are 8.0.33 and prior. Difficult to exploit vulnerability | allows low privileged attacker with network access via multiple | protocols to compromise MySQL Server. Successful attacks of this | vulnerability can result in unauthorized read access to a subset of | MySQL Server accessible data. CVSS 3.1 Base Score 3.1 | (Confidentiality impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N). CVE-2023-22046[6]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Optimizer). Supported versions that are | affected are 8.0.33 and prior. Easily exploitable vulnerability | allows high privileged attacker with network access via multiple | protocols to compromise MySQL Server. Successful attacks of this | vulnerability can result in unauthorized ability to cause a hang or | frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 | Base Score 4.9 (Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2023-22038[7]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Security: Privileges). Supported versions that | are affected are 8.0.33 and prior. Easily exploitable vulnerability | allows high privileged attacker with network access via multiple | protocols to compromise MySQL Server. Successful attacks of this | vulnerability can result in unauthorized update, insert or delete | access to some of MySQL Server accessible data. CVSS 3.1 Base Score | 2.7 (Integrity impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N). CVE-2023-22033[8]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: InnoDB). Supported versions that are affected are | 8.0.33 and prior. Difficult to exploit vulnerability allows high | privileged attacker with network access via multiple protocols to | compromise MySQL Server. Successful attacks of this vulnerability | can result in unauthorized ability to cause a hang or frequently | repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score | 4.4 (Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2023-22008[9]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: InnoDB). Supported versions that are affected are | 8.0.33 and prior. Easily exploitable vulnerability allows high | privileged attacker with network access via multiple protocols to | compromise MySQL Server. Successful attacks of this vulnerability | can result in unauthorized ability to cause a hang or frequently | repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score | 4.9 (Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2023-22007[10]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Replication). Supported versions that are | affected are 5.7.41 and prior and 8.0.32 and prior. Easily | exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2023-22005[11]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Replication). Supported versions that are | affected are 8.0.33 and prior. Difficult to exploit vulnerability | allows high privileged attacker with network access via multiple | protocols to compromise MySQL Server. Successful attacks of this | vulnerability can result in unauthorized ability to cause a hang or | frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 | Base Score 4.4 (Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2023-21950[12]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Replication). Supported versions that are | affected are 8.0.27 and prior. Easily exploitable vulnerability | allows high privileged attacker with network access via multiple | protocols to compromise MySQL Server. Successful attacks of this | vulnerability can result in unauthorized ability to cause a hang or | frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 | Base Score 4.9 (Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-22058 https://www.cve.org/CVERecord?id=CVE-2023-22058 [1] https://security-tracker.debian.org/tracker/CVE-2023-22057 https://www.cve.org/CVERecord?id=CVE-2023-22057 [2] https://security-tracker.debian.org/tracker/CVE-2023-22056 https://www.cve.org/CVERecord?id=CVE-2023-22056 [3] https://security-tracker.debian.org/tracker/CVE-2023-22054 https://www.cve.org/CVERecord?id=CVE-2023-22054 [4] https://security-tracker.debian.org/tracker/CVE-2023-22053 https://www.cve.org/CVERecord?id=CVE-2023-22053 [5] https://security-tracker.debian.org/tracker/CVE-2023-22048 https://www.cve.org/CVERecord?id=CVE-2023-22048 [6] https://security-tracker.debian.org/tracker/CVE-2023-22046 https://www.cve.org/CVERecord?id=CVE-2023-22046 [7] https://security-tracker.debian.org/tracker/CVE-2023-22038 https://www.cve.org/CVERecord?id=CVE-2023-22038 [8] https://security-tracker.debian.org/tracker/CVE-2023-22033 https://www.cve.org/CVERecord?id=CVE-2023-22033 [9] https://security-tracker.debian.org/tracker/CVE-2023-22008 https://www.cve.org/CVERecord?id=CVE-2023-22008 [10] https://security-tracker.debian.org/tracker/CVE-2023-22007 https://www.cve.org/CVERecord?id=CVE-2023-22007 [11] https://security-tracker.debian.org/tracker/CVE-2023-22005 https://www.cve.org/CVERecord?id=CVE-2023-22005 [12] https://security-tracker.debian.org/tracker/CVE-2023-21950 https://www.cve.org/CVERecord?id=CVE-2023-21950 Regards, Salvatore