Source: mysql-8.0 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerabilities were published for mysql-8.0. CVE-2022-39400[0]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Optimizer). Supported versions that are affected are 8.0.30 | and prior. Easily exploitable vulnerability allows high privileged | attacker with network access via multiple protocols to compromise | MySQL Server. Successful attacks of this vulnerability can result in | unauthorized ability to cause a hang or frequently repeatable crash | (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2022-39402[1]: | Vulnerability in the MySQL Shell product of Oracle MySQL (component: | Shell: Core Client). Supported versions that are affected are 8.0.30 | and prior. Easily exploitable vulnerability allows unauthenticated | attacker with logon to the infrastructure where MySQL Shell executes | to compromise MySQL Shell. While the vulnerability is in MySQL Shell, | attacks may significantly impact additional products (scope change). | Successful attacks of this vulnerability can result in unauthorized | read access to a subset of MySQL Shell accessible data. CVSS 3.1 Base | Score 4.3 (Confidentiality impacts). CVSS Vector: | (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N). CVE-2022-39403[2]: | Vulnerability in the MySQL Shell product of Oracle MySQL (component: | Shell: Core Client). Supported versions that are affected are 8.0.30 | and prior. Easily exploitable vulnerability allows low privileged | attacker with logon to the infrastructure where MySQL Shell executes | to compromise MySQL Shell. Successful attacks require human | interaction from a person other than the attacker. Successful attacks | of this vulnerability can result in unauthorized update, insert or | delete access to some of MySQL Shell accessible data as well as | unauthorized read access to a subset of MySQL Shell accessible data. | CVSS 3.1 Base Score 3.9 (Confidentiality and Integrity impacts). CVSS | Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N). CVE-2022-39408[3]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Optimizer). Supported versions that are affected are 8.0.30 | and prior. Easily exploitable vulnerability allows low privileged | attacker with network access via multiple protocols to compromise | MySQL Server. Successful attacks of this vulnerability can result in | unauthorized ability to cause a hang or frequently repeatable crash | (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability | impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). CVE-2022-39410[4]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Optimizer). Supported versions that are affected are 8.0.30 | and prior. Easily exploitable vulnerability allows low privileged | attacker with network access via multiple protocols to compromise | MySQL Server. Successful attacks of this vulnerability can result in | unauthorized ability to cause a hang or frequently repeatable crash | (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability | impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). CVE-2022-21594[5]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Optimizer). Supported versions that are affected are 8.0.30 | and prior. Easily exploitable vulnerability allows high privileged | attacker with network access via multiple protocols to compromise | MySQL Server. Successful attacks of this vulnerability can result in | unauthorized ability to cause a hang or frequently repeatable crash | (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2022-21599[6]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Stored Procedure). Supported versions that are affected are | 8.0.30 and prior. Easily exploitable vulnerability allows high | privileged attacker with network access via multiple protocols to | compromise MySQL Server. Successful attacks of this vulnerability can | result in unauthorized ability to cause a hang or frequently | repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score | 4.9 (Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2022-21604[7]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | InnoDB). Supported versions that are affected are 8.0.30 and prior. | Easily exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete DOS) | of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS | Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2022-21608[8]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Optimizer). Supported versions that are affected are 5.7.39 | and prior and 8.0.30 and prior. Easily exploitable vulnerability | allows high privileged attacker with network access via multiple | protocols to compromise MySQL Server. Successful attacks of this | vulnerability can result in unauthorized ability to cause a hang or | frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 | Base Score 4.9 (Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2022-21611[9]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | InnoDB). Supported versions that are affected are 8.0.30 and prior. | Difficult to exploit vulnerability allows high privileged attacker | with logon to the infrastructure where MySQL Server executes to | compromise MySQL Server. Successful attacks of this vulnerability can | result in unauthorized ability to cause a hang or frequently | repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score | 4.1 (Availability impacts). CVSS Vector: | (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2022-21617[10]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Connection Handling). Supported versions that are affected are | 5.7.39 and prior and 8.0.30 and prior. Easily exploitable | vulnerability allows high privileged attacker with network access via | multiple protocols to compromise MySQL Server. Successful attacks of | this vulnerability can result in unauthorized ability to cause a hang | or frequently repeatable crash (complete DOS) of MySQL Server. CVSS | 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2022-21625[11]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Optimizer). Supported versions that are affected are 8.0.30 | and prior. Difficult to exploit vulnerability allows high privileged | attacker with network access via multiple protocols to compromise | MySQL Server. Successful attacks of this vulnerability can result in | unauthorized ability to cause a hang or frequently repeatable crash | (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability | impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2022-21632[12]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Security: Privileges). Supported versions that are affected | are 8.0.30 and prior. Easily exploitable vulnerability allows high | privileged attacker with network access via multiple protocols to | compromise MySQL Server. Successful attacks of this vulnerability can | result in unauthorized ability to cause a hang or frequently | repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score | 4.9 (Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2022-21633[13]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Replication). Supported versions that are affected are 8.0.30 | and prior. Easily exploitable vulnerability allows high privileged | attacker with network access via multiple protocols to compromise | MySQL Server. Successful attacks of this vulnerability can result in | unauthorized ability to cause a hang or frequently repeatable crash | (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2022-21637[14]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | InnoDB). Supported versions that are affected are 8.0.30 and prior. | Easily exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete DOS) | of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS | Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2022-21640[15]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Optimizer). Supported versions that are affected are 8.0.30 | and prior. Easily exploitable vulnerability allows high privileged | attacker with network access via multiple protocols to compromise | MySQL Server. Successful attacks of this vulnerability can result in | unauthorized ability to cause a hang or frequently repeatable crash | (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-39400 https://www.cve.org/CVERecord?id=CVE-2022-39400 [1] https://security-tracker.debian.org/tracker/CVE-2022-39402 https://www.cve.org/CVERecord?id=CVE-2022-39402 [2] https://security-tracker.debian.org/tracker/CVE-2022-39403 https://www.cve.org/CVERecord?id=CVE-2022-39403 [3] https://security-tracker.debian.org/tracker/CVE-2022-39408 https://www.cve.org/CVERecord?id=CVE-2022-39408 [4] https://security-tracker.debian.org/tracker/CVE-2022-39410 https://www.cve.org/CVERecord?id=CVE-2022-39410 [5] https://security-tracker.debian.org/tracker/CVE-2022-21594 https://www.cve.org/CVERecord?id=CVE-2022-21594 [6] https://security-tracker.debian.org/tracker/CVE-2022-21599 https://www.cve.org/CVERecord?id=CVE-2022-21599 [7] https://security-tracker.debian.org/tracker/CVE-2022-21604 https://www.cve.org/CVERecord?id=CVE-2022-21604 [8] https://security-tracker.debian.org/tracker/CVE-2022-21608 https://www.cve.org/CVERecord?id=CVE-2022-21608 [9] https://security-tracker.debian.org/tracker/CVE-2022-21611 https://www.cve.org/CVERecord?id=CVE-2022-21611 [10] https://security-tracker.debian.org/tracker/CVE-2022-21617 https://www.cve.org/CVERecord?id=CVE-2022-21617 [11] https://security-tracker.debian.org/tracker/CVE-2022-21625 https://www.cve.org/CVERecord?id=CVE-2022-21625 [12] https://security-tracker.debian.org/tracker/CVE-2022-21632 https://www.cve.org/CVERecord?id=CVE-2022-21632 [13] https://security-tracker.debian.org/tracker/CVE-2022-21633 https://www.cve.org/CVERecord?id=CVE-2022-21633 [14] https://security-tracker.debian.org/tracker/CVE-2022-21637 https://www.cve.org/CVERecord?id=CVE-2022-21637 [15] https://security-tracker.debian.org/tracker/CVE-2022-21640 https://www.cve.org/CVERecord?id=CVE-2022-21640 Please adjust the affected versions in the BTS as needed.