[debian-mysql] Bug#1085294: mysql-8.0: CVE-2024-21247 CVE-2024-21241 CVE-2024-21239 CVE-2024-21238 CVE-2024-21237 CVE-2024-21236 CVE-2024-21231 CVE-2024-21230 CVE-2024-21219 CVE-2024-21218 CVE-2024-21213 CVE-2024-21212 CVE-2024-21203 CVE-2024-21201 CVE-2024-21199 CVE-2024-21198 CVE-2024-21197 CVE-2024-21196 CVE-2024-21194 CVE-2024-21193
Moritz Mühlenhoff
jmm at inutil.org
Thu Oct 17 22:03:19 BST 2024
Source: mysql-8.0
X-Debbugs-CC: team at security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for mysql-8.0.
CVE-2024-21247[0]:
| Vulnerability in the MySQL Client product of Oracle MySQL
| (component: Client: mysqldump). Supported versions that are
| affected are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior.
| Easily exploitable vulnerability allows high privileged attacker
| with network access via multiple protocols to compromise MySQL
| Client. Successful attacks of this vulnerability can result in
| unauthorized update, insert or delete access to some of MySQL Client
| accessible data as well as unauthorized read access to a subset of
| MySQL Client accessible data. CVSS 3.1 Base Score 3.8
| (Confidentiality and Integrity impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N).
CVE-2024-21241[1]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Optimizer). Supported versions that are
| affected are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior.
| Easily exploitable vulnerability allows high privileged attacker
| with network access via multiple protocols to compromise MySQL
| Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9
| (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2024-21239[2]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: InnoDB). Supported versions that are affected are
| 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily
| exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2024-21238[3]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Thread Pooling). Supported versions that are
| affected are 8.0.39 and prior, 8.4.1 and prior and 9.0.1 and prior.
| Difficult to exploit vulnerability allows low privileged attacker
| with network access via multiple protocols to compromise MySQL
| Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.3
| (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).
CVE-2024-21237[4]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Group Replication GCS). Supported versions that
| are affected are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and
| prior. Difficult to exploit vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result
| in unauthorized ability to cause a partial denial of service
| (partial DOS) of MySQL Server. CVSS 3.1 Base Score 2.2 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L).
CVE-2024-21236[5]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: InnoDB). Supported versions that are affected are
| 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily
| exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2024-21231[6]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Client programs). Supported versions that are affected
| are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior.
| Difficult to exploit vulnerability allows low privileged attacker
| with network access via multiple protocols to compromise MySQL
| Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a partial denial of service (partial
| DOS) of MySQL Server. CVSS 3.1 Base Score 3.1 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L).
CVE-2024-21230[7]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Optimizer). Supported versions that are
| affected are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior.
| Easily exploitable vulnerability allows low privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
CVE-2024-21219[8]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: DML). Supported versions that are affected are
| 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily
| exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2024-21218[9]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: InnoDB). Supported versions that are affected are
| 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily
| exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2024-21213[10]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: InnoDB). Supported versions that are affected are
| 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily
| exploitable vulnerability allows high privileged attacker with logon
| to the infrastructure where MySQL Server executes to compromise
| MySQL Server. Successful attacks require human interaction from a
| person other than the attacker. Successful attacks of this
| vulnerability can result in unauthorized ability to cause a hang or
| frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1
| Base Score 4.2 (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H).
CVE-2024-21212[11]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Health Monitor). Supported versions that are
| affected are 8.0.39 and prior and 8.4.0. Difficult to exploit
| vulnerability allows high privileged attacker with network access
| via multiple protocols to compromise MySQL Server. Successful
| attacks of this vulnerability can result in unauthorized ability to
| cause a hang or frequently repeatable crash (complete DOS) of MySQL
| Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS
| Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2024-21203[12]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: FTS). Supported versions that are affected are
| 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily
| exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2024-21201[13]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Optimizer). Supported versions that are
| affected are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior.
| Easily exploitable vulnerability allows high privileged attacker
| with network access via multiple protocols to compromise MySQL
| Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9
| (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2024-21199[14]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: InnoDB). Supported versions that are affected are
| 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily
| exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2024-21198[15]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: DDL). Supported versions that are affected are
| 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily
| exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2024-21197[16]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Information Schema). Supported versions that
| are affected are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and
| prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result
| in unauthorized ability to cause a hang or frequently repeatable
| crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9
| (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2024-21196[17]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: X Plugin). Supported versions that are affected
| are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily
| exploitable vulnerability allows low privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
CVE-2024-21194[18]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: InnoDB). Supported versions that are affected are
| 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily
| exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2024-21193[19]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: PS). Supported versions that are affected are
| 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily
| exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-21247
https://www.cve.org/CVERecord?id=CVE-2024-21247
[1] https://security-tracker.debian.org/tracker/CVE-2024-21241
https://www.cve.org/CVERecord?id=CVE-2024-21241
[2] https://security-tracker.debian.org/tracker/CVE-2024-21239
https://www.cve.org/CVERecord?id=CVE-2024-21239
[3] https://security-tracker.debian.org/tracker/CVE-2024-21238
https://www.cve.org/CVERecord?id=CVE-2024-21238
[4] https://security-tracker.debian.org/tracker/CVE-2024-21237
https://www.cve.org/CVERecord?id=CVE-2024-21237
[5] https://security-tracker.debian.org/tracker/CVE-2024-21236
https://www.cve.org/CVERecord?id=CVE-2024-21236
[6] https://security-tracker.debian.org/tracker/CVE-2024-21231
https://www.cve.org/CVERecord?id=CVE-2024-21231
[7] https://security-tracker.debian.org/tracker/CVE-2024-21230
https://www.cve.org/CVERecord?id=CVE-2024-21230
[8] https://security-tracker.debian.org/tracker/CVE-2024-21219
https://www.cve.org/CVERecord?id=CVE-2024-21219
[9] https://security-tracker.debian.org/tracker/CVE-2024-21218
https://www.cve.org/CVERecord?id=CVE-2024-21218
[10] https://security-tracker.debian.org/tracker/CVE-2024-21213
https://www.cve.org/CVERecord?id=CVE-2024-21213
[11] https://security-tracker.debian.org/tracker/CVE-2024-21212
https://www.cve.org/CVERecord?id=CVE-2024-21212
[12] https://security-tracker.debian.org/tracker/CVE-2024-21203
https://www.cve.org/CVERecord?id=CVE-2024-21203
[13] https://security-tracker.debian.org/tracker/CVE-2024-21201
https://www.cve.org/CVERecord?id=CVE-2024-21201
[14] https://security-tracker.debian.org/tracker/CVE-2024-21199
https://www.cve.org/CVERecord?id=CVE-2024-21199
[15] https://security-tracker.debian.org/tracker/CVE-2024-21198
https://www.cve.org/CVERecord?id=CVE-2024-21198
[16] https://security-tracker.debian.org/tracker/CVE-2024-21197
https://www.cve.org/CVERecord?id=CVE-2024-21197
[17] https://security-tracker.debian.org/tracker/CVE-2024-21196
https://www.cve.org/CVERecord?id=CVE-2024-21196
[18] https://security-tracker.debian.org/tracker/CVE-2024-21194
https://www.cve.org/CVERecord?id=CVE-2024-21194
[19] https://security-tracker.debian.org/tracker/CVE-2024-21193
https://www.cve.org/CVERecord?id=CVE-2024-21193
Please adjust the affected versions in the BTS as needed.
More information about the pkg-mysql-maint
mailing list