Vulnerability CVE-2019-2683


Published: 2019-04-23

Description:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Options). Supported versions that are affected are 5.6.43 and prior, 5.7.25 and prior and 8.0.15 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Type:

CWE-284

(Improper Access Control)

Vendor: Oracle
Product: Mysql 
Version:
8.0.5
8.0.4
8.0.3
8.0.2
8.0.15
8.0.14
8.0.13
8.0.12
8.0.11
8.0.10
8.0.1
8.0.0
5.7.9
5.7.8
5.7.7
5.7.6
5.7.5
5.7.4
5.7.3
5.7.25
5.7.24
5.7.23
5.7.22
5.7.21
5.7.20
5.7.2
5.7.19
5.7.18
5.7.17
5.7.16
5.7.15
5.7.14
5.7.13
5.7.12
5.7.11
5.7.10
5.7.1
5.7.0
5.6.9
5.6.8
5.6.7
5.6.6
5.6.5
5.6.43
5.6.42
5.6.41
5.6.40
5.6.4
5.6.39
5.6.38
5.6.37
5.6.36
5.6.35
5.6.34
5.6.33
5.6.32
5.6.31
5.6.30
5.6.3
5.6.29
5.6.28
5.6.27
5.6.26
5.6.25
5.6.24
5.6.23
5.6.22
5.6.21
5.6.20
5.6.2
5.6.19
5.6.18
5.6.17
5.6.16
5.6.15
5.6.14
5.6.13
5.6.12
5.6.11
5.6.10
5.6.1
5.6.0
Vendor: Canonical
Product: Ubuntu linux 
Version:
19.04
18.10
18.04
16.04

CVSS2 => (AV:N/AC:L/Au:S/C:N/I:N/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4/10
2.9/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
None
None
Partial

 References:
http://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
https://support.f5.com/csp/article/K28312671
https://usn.ubuntu.com/3957-1/

Related CVE
CVE-2019-12436
Samba 4.10.x before 4.10.5 has a NULL pointer dereference, leading to an AD DC LDAP server Denial of Service. This is related to an attacker using the paged search control. The attacker must have directory read access in order to attempt an exploit.
CVE-2019-11477
Jonathan Looney discovered that the TCP_SKB_CB(skb)->tcp_gso_segs value was subject to an integer overflow in the Linux kernel when handling TCP Selective Acknowledgments (SACKs). A remote attacker could use this to cause a denial of service. This ha...
CVE-2019-0196
A vulnerability was found in Apache HTTP Server 2.4.17 to 2.4.38. Using fuzzed network input, the http/2 request handling could be made to access freed memory in string comparison when determining the method of a request and thus process the request ...
CVE-2019-0220
A vulnerability was found in Apache HTTP Server 2.4.0 to 2.4.38. When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions...
CVE-2019-12749
dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference ...
CVE-2019-11596
In memcached before 1.5.14, a NULL pointer dereference was found in the "lru mode" and "lru temp_ttl" commands. This causes a denial of service when parsing crafted lru command messages in process_lru_command in memcached.c.
CVE-2019-9928
GStreamer before 1.16.0 has a heap-based buffer overflow in the RTSP connection parser via a crafted response from a server, potentially allowing remote code execution.
CVE-2019-11498
WavpackSetConfiguration64 in pack_utils.c in libwavpack.a in WavPack through 5.1.0 has a "Conditional jump or move depends on uninitialised value" condition, which might allow attackers to cause a denial of service (application crash) via a DFF file ...

Copyright 2019, cxsecurity.com

 

Back to Top