Vulnerabilities > CVE-2020-2875
Summary
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.14 and prior and 5.1.48 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data. CVSS 3.0 Base Score 4.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N).
Vulnerable Configurations
Nessus
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_622B5C47855B11EAA5E2D4C9EF517024.NASL description Oracle reports : This Critical Patch Update contains 45 new security patches for Oracle MySQL. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. last seen 2020-05-08 modified 2020-04-24 plugin id 135942 published 2020-04-24 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135942 title FreeBSD : MySQL Client -- Multiple vulerabilities (622b5c47-855b-11ea-a5e2-d4c9ef517024) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4703.NASL description Three vulnerabilities have been found in the MySQL Connector/J JDBC driver. last seen 2020-06-13 modified 2020-06-12 plugin id 137376 published 2020-06-12 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/137376 title Debian DSA-4703-1 : mysql-connector-java - security update NASL family Misc. NASL id ORACLE_MYSQL_CONNECTORS_CPU_APR_2020.NASL description The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by the following vulnerabilities as referenced in the April 2020 CPU advisory: - A vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.14 and prior and 5.1.48 and prior. This is a difficult to exploit vulnerability that allows an unauthenticated attacker, remote attacker via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks involving this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data. (CVE-2020-2875) - A vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 5.1.48 and prior. This is a difficult to exploit vulnerability that allows a high privileged, remote attacker via multiple protocols to compromise MySQL Connectors. Successful attacks involving this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. (CVE-2020-2933) - A vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.19 and prior and 5.1.48 and prior. This is a difficult to exploit vulnerability allows an unauthenticated, remote attacker via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks involving this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. (CVE-2020-2934) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-05-08 modified 2020-04-15 plugin id 135588 published 2020-04-15 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135588 title Oracle MySQL Connectors (Apr 2020 CPU) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-2245.NASL description Several issues were discovered in mysql-connector-java, a Java database (JDBC) driver for MySQL, that allow attackers to update, insert or delete access to some of MySQL Connectors accessible data, unauthorized read access to a subset of the data, and partial denial of service. For Debian 8 last seen 2020-06-13 modified 2020-06-12 plugin id 137372 published 2020-06-12 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/137372 title Debian DLA-2245-1 : mysql-connector-java security update
References
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://lists.debian.org/debian-lts-announce/2020/06/msg00015.html
- https://www.debian.org/security/2020/dsa-4703
- https://security.gentoo.org/glsa/202105-27
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4QDR2WOUETBT76WAO5NNCCXSAM3AGG3D/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MDKQVPFT4Z4SFPBH6YNFMJOXKS2YYKHA/