CVE-2022-21589
published 2022-10-18CVE-2022-21589: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 5.7.39 and prior…
PriorityP277medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.91%
55.5th percentile
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 5.7.39 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | mysql-8.0 | — | — |
| oracle | mysql | 5.7.0 – 5.7.39 | — |
| oracle | mysql | 8.0 – 8.0.16 | — |
| oracle_corporation | mysql_server | — | — |
| oracle_corporation | mysql_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Affected versions: MySQL Server 5.7.39 and prior, and 8.0.16 and prior — patch targets are 5.7.40+ and 8.0.17+ ↗
- →Attack vector is network-accessible MySQL Protocol with low privileges required — monitor for low-privileged accounts performing unexpected privilege enumeration or data reads over the MySQL protocol ↗
- →Vulnerable component is the Server: Security: Privileges subsystem — focus audit/logging on privilege-related queries and access control checks in MySQL ↗
- ·MariaDB packages across all tracked Red Hat and OpenStack distributions are confirmed NOT affected by this CVE ↗
- ·Ubuntu 16.04 ESM mitigation is achieved by updating MySQL to version 5.7.40 via standard system update ↗
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
osv4.3MEDIUM
vulncheck4.3MEDIUM
vendor_debian4.3LOW
vendor_oracle4.3MEDIUM
vendor_redhat4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
MySQL vulnerabilities
vendor_ubuntu·2022-10-26
CVE-2022-21617 MySQL vulnerabilities
Title: MySQL vulnerabilities
Summary: Several security issues were fixed in MySQL.
USN-5696-1 fixed several vulnerabilities in MySQL. This update provides
the corresponding update for Ubuntu 16.04 ESM.
Original advisory details:
Multiple security issues were discovered in MySQL and this update includes
new upstream MySQL versions to fix these issues.
MySQL has been updated to 5.7.40 in Ubuntu 16.04 ESM.
In addition to security fixes, the updated packages contain bug fixes, new
features, and possibly incompatible changes.
Please see the following for more information:
https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-40.html
https://www.oracle.com/security-alerts/cpuoct2022.html
Instructions: This update uses a new upstream release, which includes additional bug
fixes. In ge
Ubuntu
MySQL vulnerabilities
vendor_ubuntu·2022-10-24
CVE-2022-21632 MySQL vulnerabilities
Title: MySQL vulnerabilities
Summary: Several security issues were fixed in MySQL.
Multiple security issues were discovered in MySQL and this update includes
new upstream MySQL versions to fix these issues.
MySQL has been updated to 8.0.31 in Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
Ubuntu 18.04 LTS has been updated to MySQL 5.7.40.
In addition to security fixes, the updated packages contain bug fixes, new
features, and possibly incompatible changes.
Please see the following for more information:
https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-40.html
https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-31.html
https://www.oracle.com/security-alerts/cpuoct2022.html
Instructions: This update uses a new upstream release, which includes additional bug
fixes. In general, a st
Red Hat
mysql: Server: Security: Privileges unspecified vulnerability (CPU Oct 2022)
vendor_redhat·2022-10-18·CVSS 4.3
CVE-2022-21589 [MEDIUM] mysql: Server: Security: Privileges unspecified vulnerability (CPU Oct 2022)
mysql: Server: Security: Privileges unspecified vulnerability (CPU Oct 2022)
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 5.7.39 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).
Package: mysql (Red Hat Enterprise Linux 6) - Not affected
Package: mariadb (Red Hat Enterprise Linux 7) - Not affected
Package: mariadb:10.3/mariadb (Red Hat Enterpr
Oracle
Oracle Oracle MySQL Risk Matrix: Server: Security: Privileges — CVE-2022-21589
vendor_oracle·2022-10-15·CVSS 4.3
CVE-2022-21589 [MEDIUM] Oracle Oracle MySQL Risk Matrix: Server: Security: Privileges — CVE-2022-21589
Oracle Oracle MySQL Risk Matrix: Server: Security: Privileges vulnerability
CVE: CVE-2022-21589
CVSS: 4.3
Protocol: MySQL Protocol
Remote exploit: No
Affected versions: Network
Advisory: cpuoct2022 (OCT 2022)
Debian
CVE-2022-21589: mysql-8.0 - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Se...
vendor_debian·2022·CVSS 4.3
CVE-2022-21589 [MEDIUM] CVE-2022-21589: mysql-8.0 - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Se...
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 5.7.39 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).
Scope: local
sid: resolved
GHSA
GHSA-hwfp-8w72-6fqv: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges)
ghsa_unreviewed·2022-10-19
CVE-2022-21589 [MEDIUM] GHSA-hwfp-8w72-6fqv: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges)
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 5.7.39 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).
OSV
CVE-2022-21589: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges)
osv·2022-10-19·CVSS 4.3
CVE-2022-21589 [MEDIUM] CVE-2022-21589: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges)
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 5.7.39 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).
VulnCheck
Oracle MySQL Server: Security: Privileges Unauthenticated Information Disclosure
vulncheck·2022·CVSS 4.3
CVE-2022-21589 [MEDIUM] Oracle MySQL Server: Security: Privileges Unauthenticated Information Disclosure
Oracle MySQL Server: Security: Privileges Unauthenticated Information Disclosure
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 5.7.39 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).
Affected: Oracle mysql
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations a
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-10-18
Published
Exploited in the wild