CVE-2021-2014 — Out-of-bounds Read in Oracle Mysql

CWE-125 — Out-of-bounds Read CWE-476 — NULL Pointer Dereference CWE-121 — Stack-based Buffer Overflow CWE-460 — Improper Cleanup on Thrown Exception CWE-362 — Race Condition CWE-862 — Missing Authorization CWE-20 — Improper Input Validation CWE-644 — Improper Neutralization of HTTP Headers for Scripting Syntax CWE-285 — Improper Authorization CWE-863 — Incorrect Authorization CWE-456 — Missing Initialization of a Variable CWE-99 — Resource Injection CWE-22 — Path Traversal CWE-693 — Protection Mechanism Failure CWE-59 — Link Following CWE-369 — Divide By Zero35 documents10 sources

Severity

4.9MEDIUMNVD

GHSA9.8GHSA9.1GHSA8.1GHSA5.0OSV6.5

EPSS

0.2%

top 57.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Typo3 CMS Typo3 Cms-core Oracle Mysql +1 more

Timeline

PublishedJan 20

Latest updateJun 19

Description

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: PAM Auth Plugin). Supported versions that are affected are 5.7.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS V…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:HExploitability: 1.2 | Impact: 3.6

Affected Packages4 packages

▶CVEListV5oracle_corporation/mysql_server5.7.32 and prior

▶NVDoracle/mysql5.7.0 — 5.7.32

▶Packagisttypo3/cms11.0.0 — 11.5.0

▶Packagisttypo3/cms-core11.0.0 — 11.5.0

🔴Vulnerability Details

OSV

php-dompdf vulnerabilities↗2023-08-08

▶

GHSA

GHSA-86q4-677r-wjxv: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: PAM Auth Plugin)↗2022-05-24

▶

GHSA

Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins↗2022-05-24

▶

GHSA

Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins↗2022-05-24

▶

GHSA

Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins↗2022-05-24

▶

💥Exploits & PoCs

Exploit-DB

Mitsubishi Electric & INEA SmartRTU - Source Code Disclosure↗2021-10-18

▶

Exploit-DB

GetSimple CMS 3.3.4 - Information Disclosure↗2021-06-02

▶

Exploit-DB

HFS (HTTP File Server) 2.3.x - Remote Command Execution (3)↗2021-02-23

▶

Exploit-DB

vBulletin 4.x/5.x - AdminCP/ApiLog via xmlrpc API (Authenticated) Persistent Cross-Site Scripting↗2014-10-12

▶

📋Vendor Advisories

Red Hat

kernel: nfc: fix segfault in nfc_genl_dump_devices_done↗2024-06-19

▶

Red Hat

kernel: can: isotp: isotp_sendmsg(): add result check for wait_event_interruptible()↗2024-05-22

▶

Red Hat

kernel: btrfs: do not BUG_ON in link_to_fixup_dir↗2024-03-25

▶

Red Hat

kernel: mm/hwpoison: clear MF_COUNT_INCREASED before retrying get_any_page()↗2024-03-04

▶

Red Hat

kernel: RDMA/core: Prevent divide-by-zero error triggered by the user↗2024-03-01

▶