CVE-2022-21595 The MySQL Server product is vulnerable to Oracle MySQL 5.7.36 and 8.0.27.

When accessing a MySQL database server, hackers can exploit a vulnerability in the MySQL Server software to gain high-privileged access to the system. The vulnerability can be exploited by attackers using specially crafted requests to cause denial of service or inject malicious code into the accessible part of the affected server. An unauthenticated attacker can exploit the vulnerability to gain high-privileged access to the system. By using this high-privilege access, it is possible for the attacker to carry out actions that would otherwise require administrative privileges on the system.

Vendor: Oracle\r

Vendor Code: MySQL

Vuln Type: Authentication Bypass, Improper Authentication, Incorrect Access Control, Incorrect Authentication, Confusion of Authentication Methods, Improperly Configured Authentication, Improper Restriction of Access to Sensitive Information, Improper Restriction of Access to Sensitive Information, Improperly Configured Authentication, Authentication Bypass.

CVSS v3 Score: 5.8 CVSS v3 Base Score: 7.5 Access Vector: Network Access Complexity: Low Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete CVSS v3 Weight: 7.8 Summary: Critical: Incorrect Access Control\r

A critical vulnerability in the MySQL Server software allows attackers to bypass authentication and gain high-privileged access to the affected system via multiple attack vectors

Description

A vulnerability in MySQL Server's authentication mechanism allows attackers to bypass authentication and gain high-privileged access to the affected system. The vulnerability can be exploited by attackers using specially crafted requests to cause denial of service or inject malicious code into the accessible part of the affected server. An unauthenticated attacker can exploit the vulnerability to gain high-privileged access to the system. By using this high-privilege access, it is possible for the attacker to carry out actions that would otherwise require administrative privileges on the system.

Authentication Bypass\r

An authenticated attacker can exploit the vulnerability to bypass authentication by sending a specially crafted request to cause denial of service or inject malicious code into the accessible part of the affected server.

Timeline

Published on: 10/18/2022 21:15:00 UTC
Last modified on: 10/18/2022 21:18:00 UTC

References

• https://www.oracle.com/security-alerts/cpuoct2022.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-21595