Vulnerabilities > CVE-2022-45347 - Incomplete Cleanup vulnerability in Apache Shardingsphere

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

apache

CWE-459

critical

NVD

Published: 2022-12-22

Updated: 2022-12-29

Summary

Apache ShardingSphere-Proxy prior to 5.3.0 when using MySQL as database backend didn't cleanup the database session completely after client authentication failed, which allowed an attacker to execute normal commands by constructing a special MySQL client. This vulnerability has been fixed in Apache ShardingSphere 5.3.0.

Vulnerable Configurations

Part	Description	Count
Application	Apache Apache Shardingsphere - Apache Shardingsphere 4.0.0 Apache Shardingsphere 5.0.0 Apache Shardingsphere 5.1.0 Apache Shardingsphere 5.1.1 Apache Shardingsphere 5.1.2 Apache Shardingsphere 5.2.0 Apache Shardingsphere 5.2.1	11

Common Weakness Enumeration (CWE)

CWE-459 - Incomplete Cleanup

References

https://lists.apache.org/thread/l5rz7j4rg10o7ywtgknh2f5hxnv6yw3l