CVE-2022-45347 — Incomplete Cleanup in Software Foundation Apache Shardingsphere-proxy

CWE-459 — Incomplete Cleanup4 documents4 sources

Severity

9.8CRITICALNVD

EPSS

0.1%

top 68.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Shardingsphere-proxy Apache Shardingsphere

Timeline

PublishedDec 22

Description

Apache ShardingSphere-Proxy prior to 5.3.0 when using MySQL as database backend didn't cleanup the database session completely after client authentication failed, which allowed an attacker to execute normal commands by constructing a special MySQL client. This vulnerability has been fixed in Apache ShardingSphere 5.3.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5apache_software_foundation/apache_shardingsphere-proxy< 5.3.0

▶NVDapache/shardingsphere< 5.3.0

🔴Vulnerability Details

CVEList

Apache ShardingSphere-Proxy: MySQL authentication bypass↗2022-12-22

▶

OSV

Apache ShardingSphere-Proxy Incomplete Cleanup vulnerability↗2022-12-22

▶

GHSA

Apache ShardingSphere-Proxy Incomplete Cleanup vulnerability↗2022-12-22

▶