Source: mysql-8.0 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerabilities were published for mysql-8.0. CVE-2024-21102[0]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Thread Pooling). Supported versions that are | affected are 8.0.36 and prior and 8.3.0 and prior. Easily | exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21096[1]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Client: mysqldump). Supported versions that are | affected are 8.0.36 and prior and 8.3.0 and prior. Difficult to | exploit vulnerability allows unauthenticated attacker with logon to | the infrastructure where MySQL Server executes to compromise MySQL | Server. Successful attacks of this vulnerability can result in | unauthorized update, insert or delete access to some of MySQL Server | accessible data as well as unauthorized read access to a subset of | MySQL Server accessible data and unauthorized ability to cause a | partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 | Base Score 4.9 (Confidentiality, Integrity and Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L). CVE-2024-21087[2]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Group Replication Plugin). Supported versions | that are affected are 8.0.36 and prior and 8.3.0 and prior. Easily | exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21069[3]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: DDL). Supported versions that are affected are | 8.0.36 and prior and 8.3.0 and prior. Easily exploitable | vulnerability allows high privileged attacker with network access | via multiple protocols to compromise MySQL Server. Successful | attacks of this vulnerability can result in unauthorized ability to | cause a hang or frequently repeatable crash (complete DOS) of MySQL | Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS | Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21062[4]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Optimizer). Supported versions that are | affected are 8.0.36 and prior and 8.3.0 and prior. Easily | exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21060[5]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Data Dictionary). Supported versions that are | affected are 8.0.36 and prior and 8.3.0 and prior. Easily | exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21054[6]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Optimizer). Supported versions that are | affected are 8.0.36 and prior and 8.3.0 and prior. Easily | exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21047[7]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: InnoDB). Supported versions that are affected are | 8.0.36 and prior and 8.3.0 and prior. Easily exploitable | vulnerability allows high privileged attacker with network access | via multiple protocols to compromise MySQL Server. Successful | attacks of this vulnerability can result in unauthorized ability to | cause a hang or frequently repeatable crash (complete DOS) of MySQL | Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS | Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21013[8]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Optimizer). Supported versions that are | affected are 8.0.36 and prior and 8.3.0 and prior. Difficult to | exploit vulnerability allows high privileged attacker with network | access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21009[9]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Optimizer). Supported versions that are | affected are 8.0.36 and prior and 8.3.0 and prior. Easily | exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21008[10]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Optimizer). Supported versions that are | affected are 8.0.36 and prior and 8.3.0 and prior. Difficult to | exploit vulnerability allows high privileged attacker with network | access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21000[11]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Security: Privileges). Supported versions that | are affected are 8.0.36 and prior and 8.3.0 and prior. Easily | exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | update, insert or delete access to some of MySQL Server accessible | data as well as unauthorized read access to a subset of MySQL | Server accessible data. CVSS 3.1 Base Score 3.8 (Confidentiality and | Integrity impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N). CVE-2024-20998[12]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Optimizer). Supported versions that are | affected are 8.0.36 and prior and 8.3.0 and prior. Easily | exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-20994[13]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Information Schema). Supported versions that | are affected are 8.0.36 and prior and 8.3.0 and prior. Difficult to | exploit vulnerability allows low privileged attacker with network | access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 5.3 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H). If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-21102 https://www.cve.org/CVERecord?id=CVE-2024-21102 [1] https://security-tracker.debian.org/tracker/CVE-2024-21096 https://www.cve.org/CVERecord?id=CVE-2024-21096 [2] https://security-tracker.debian.org/tracker/CVE-2024-21087 https://www.cve.org/CVERecord?id=CVE-2024-21087 [3] https://security-tracker.debian.org/tracker/CVE-2024-21069 https://www.cve.org/CVERecord?id=CVE-2024-21069 [4] https://security-tracker.debian.org/tracker/CVE-2024-21062 https://www.cve.org/CVERecord?id=CVE-2024-21062 [5] https://security-tracker.debian.org/tracker/CVE-2024-21060 https://www.cve.org/CVERecord?id=CVE-2024-21060 [6] https://security-tracker.debian.org/tracker/CVE-2024-21054 https://www.cve.org/CVERecord?id=CVE-2024-21054 [7] https://security-tracker.debian.org/tracker/CVE-2024-21047 https://www.cve.org/CVERecord?id=CVE-2024-21047 [8] https://security-tracker.debian.org/tracker/CVE-2024-21013 https://www.cve.org/CVERecord?id=CVE-2024-21013 [9] https://security-tracker.debian.org/tracker/CVE-2024-21009 https://www.cve.org/CVERecord?id=CVE-2024-21009 [10] https://security-tracker.debian.org/tracker/CVE-2024-21008 https://www.cve.org/CVERecord?id=CVE-2024-21008 [11] https://security-tracker.debian.org/tracker/CVE-2024-21000 https://www.cve.org/CVERecord?id=CVE-2024-21000 [12] https://security-tracker.debian.org/tracker/CVE-2024-20998 https://www.cve.org/CVERecord?id=CVE-2024-20998 [13] https://security-tracker.debian.org/tracker/CVE-2024-20994 https://www.cve.org/CVERecord?id=CVE-2024-20994 Please adjust the affected versions in the BTS as needed.