CVE-2022-21280
published 2022-01-19CVE-2022-21280: Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and…
PriorityP344medium6.3CVSS 3.1
AVAACHPRHUIRSUCHIHAH
EPSS
76.55%
99.5th percentile
Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| msrc | cbl2_mysql_8.0.28-1_on_cbl_mariner_2.0 | — | — |
| oracle | mysql | 7.4.0 – 7.4.34 | — |
| oracle | mysql | 7.5.0 – 7.5.24 | — |
| oracle | mysql | 7.6.0 – 7.6.20 | — |
| oracle | mysql | 8.0.0 – 8.0.27 | — |
| oracle_corporation | mysql_cluster | — | — |
| oracle_corporation | mysql_cluster | — | — |
| oracle_corporation | mysql_cluster | — | — |
| oracle_corporation | mysql_cluster | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- ·Exploitation requires the attacker to have access to the physical communication segment (adjacent network) attached to the hardware where MySQL Cluster executes, limiting remote exploitation. ↗
- ·Exploitation is rated 'Difficult' and also requires human interaction from a third party, making opportunistic exploitation unlikely. ↗
- ·Affected versions span multiple MySQL Cluster release trains: 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, and 8.0.27 and prior. ↗
- ·Microsoft Azure Linux (CBL-Mariner) is also identified as potentially affected, as it bundles this open-source library. ↗
CVSS provenance
nvdv3.16.3MEDIUMCVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
nvdv2.04.0MEDIUMAV:A/AC:H/Au:S/C:P/I:P/A:P
vendor_msrc6.3MEDIUM
vendor_oracle6.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Oracle
Oracle Oracle MySQL Risk Matrix: Cluster: General — CVE-2022-21280
vendor_oracle·2022-01-15·CVSS 6.3
CVE-2022-21280 [MEDIUM] Oracle Oracle MySQL Risk Matrix: Cluster: General — CVE-2022-21280
Oracle Oracle MySQL Risk Matrix: Cluster: General vulnerability
CVE: CVE-2022-21280
CVSS: 6.3
Protocol: Multiple
Remote exploit: No
Affected versions: Adjacent
Network
Advisory: cpujan2022 (JAN 2022)
Microsoft
Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior 7.5.24 and prior 7.6.20 and prior and 8.0.27 and pri
vendor_msrc·2022-01-11·CVSS 6.3
CVE-2022-21280 [MEDIUM] Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior 7.5.24 and prior 7.6.20 and prior and 8.0.27 and pri
Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior 7.5.24 and prior 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library
GHSA
GHSA-89pp-7jpj-hxxf: Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General)
ghsa_unreviewed·2022-01-20
CVE-2022-21280 [MEDIUM] GHSA-89pp-7jpj-hxxf: Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General)
Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://security.netapp.com/advisory/ntap-20220121-0008/https://www.oracle.com/security-alerts/cpujan2022.htmlhttps://www.zerodayinitiative.com/advisories/ZDI-22-084/https://security.netapp.com/advisory/ntap-20220121-0008/https://www.oracle.com/security-alerts/cpujan2022.htmlhttps://www.zerodayinitiative.com/advisories/ZDI-22-084/
2022-01-19
Published