[debian-mysql] Bug#1093877: mysql-8.0: CVE-2025-21555 CVE-2025-21559 CVE-2025-21540 CVE-2025-21543 CVE-2025-21546 CVE-2025-21490 CVE-2025-21491 CVE-2025-21497 CVE-2025-21500 CVE-2025-21501 CVE-2025-21503 CVE-2025-21505 CVE-2025-21518 CVE-2025-21519 CVE-2025-21520 CVE-2025-21522 CVE-2025-21523 CVE-2025-21529 CVE-2025-21531
Moritz Mühlenhoff
jmm at inutil.org
Thu Jan 23 18:58:38 GMT 2025
Source: mysql-8.0
X-Debbugs-CC: team at security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for mysql-8.0.
CVE-2025-21555[0]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: InnoDB). Supported versions that are affected are
| 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and prior. Easily
| exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server as well as unauthorized update, insert or
| delete access to some of MySQL Server accessible data. CVSS 3.1 Base
| Score 5.5 (Integrity and Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).
CVE-2025-21559[1]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: InnoDB). Supported versions that are affected are
| 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and prior. Easily
| exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server as well as unauthorized update, insert or
| delete access to some of MySQL Server accessible data. CVSS 3.1 Base
| Score 5.5 (Integrity and Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).
CVE-2025-21540[2]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Security: Privileges). Supported versions that
| are affected are 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and
| prior. Easily exploitable vulnerability allows low privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result
| in unauthorized update, insert or delete access to some of MySQL
| Server accessible data as well as unauthorized read access to a
| subset of MySQL Server accessible data. CVSS 3.1 Base Score 5.4
| (Confidentiality and Integrity impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N).
CVE-2025-21543[3]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Packaging). Supported versions that are
| affected are 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and prior.
| Easily exploitable vulnerability allows high privileged attacker
| with network access via multiple protocols to compromise MySQL
| Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9
| (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2025-21546[4]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Security: Privileges). Supported versions that
| are affected are 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and
| prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result
| in unauthorized update, insert or delete access to some of MySQL
| Server accessible data as well as unauthorized read access to a
| subset of MySQL Server accessible data. CVSS 3.1 Base Score 3.8
| (Confidentiality and Integrity impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N).
CVE-2025-21490[5]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: InnoDB). Supported versions that are affected are
| 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and prior. Easily
| exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2025-21491[6]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: InnoDB). Supported versions that are affected are
| 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and prior. Easily
| exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2025-21497[7]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: InnoDB). Supported versions that are affected are
| 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and prior. Easily
| exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server as well as unauthorized update, insert or
| delete access to some of MySQL Server accessible data. CVSS 3.1 Base
| Score 5.5 (Integrity and Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).
CVE-2025-21500[8]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Optimizer). Supported versions that are
| affected are 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and prior.
| Easily exploitable vulnerability allows low privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
CVE-2025-21501[9]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Optimizer). Supported versions that are
| affected are 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and prior.
| Easily exploitable vulnerability allows low privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
CVE-2025-21503[10]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: InnoDB). Supported versions that are affected are
| 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and prior. Easily
| exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2025-21505[11]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Components Services). Supported versions that
| are affected are 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and
| prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result
| in unauthorized ability to cause a hang or frequently repeatable
| crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9
| (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2025-21518[12]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Optimizer). Supported versions that are
| affected are 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and prior.
| Easily exploitable vulnerability allows low privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
CVE-2025-21519[13]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Security: Privileges). Supported versions that
| are affected are 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and
| prior. Difficult to exploit vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result
| in unauthorized ability to cause a hang or frequently repeatable
| crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4
| (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2025-21520[14]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Options). Supported versions that are affected
| are 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and prior.
| Difficult to exploit vulnerability allows high privileged attacker
| with logon to the infrastructure where MySQL Server executes to
| compromise MySQL Server. Successful attacks require human
| interaction from a person other than the attacker. Successful
| attacks of this vulnerability can result in unauthorized read
| access to a subset of MySQL Server accessible data. CVSS 3.1 Base
| Score 1.8 (Confidentiality impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N).
CVE-2025-21522[15]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Parser). Supported versions that are affected
| are 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and prior. Easily
| exploitable vulnerability allows low privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
CVE-2025-21523[16]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: InnoDB). Supported versions that are affected are
| 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and prior. Easily
| exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2025-21529[17]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Information Schema). Supported versions that
| are affected are 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and
| prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result
| in unauthorized ability to cause a hang or frequently repeatable
| crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9
| (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2025-21531[18]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: InnoDB). Supported versions that are affected are
| 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and prior. Easily
| exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-21555
https://www.cve.org/CVERecord?id=CVE-2025-21555
[1] https://security-tracker.debian.org/tracker/CVE-2025-21559
https://www.cve.org/CVERecord?id=CVE-2025-21559
[2] https://security-tracker.debian.org/tracker/CVE-2025-21540
https://www.cve.org/CVERecord?id=CVE-2025-21540
[3] https://security-tracker.debian.org/tracker/CVE-2025-21543
https://www.cve.org/CVERecord?id=CVE-2025-21543
[4] https://security-tracker.debian.org/tracker/CVE-2025-21546
https://www.cve.org/CVERecord?id=CVE-2025-21546
[5] https://security-tracker.debian.org/tracker/CVE-2025-21490
https://www.cve.org/CVERecord?id=CVE-2025-21490
[6] https://security-tracker.debian.org/tracker/CVE-2025-21491
https://www.cve.org/CVERecord?id=CVE-2025-21491
[7] https://security-tracker.debian.org/tracker/CVE-2025-21497
https://www.cve.org/CVERecord?id=CVE-2025-21497
[8] https://security-tracker.debian.org/tracker/CVE-2025-21500
https://www.cve.org/CVERecord?id=CVE-2025-21500
[9] https://security-tracker.debian.org/tracker/CVE-2025-21501
https://www.cve.org/CVERecord?id=CVE-2025-21501
[10] https://security-tracker.debian.org/tracker/CVE-2025-21503
https://www.cve.org/CVERecord?id=CVE-2025-21503
[11] https://security-tracker.debian.org/tracker/CVE-2025-21505
https://www.cve.org/CVERecord?id=CVE-2025-21505
[12] https://security-tracker.debian.org/tracker/CVE-2025-21518
https://www.cve.org/CVERecord?id=CVE-2025-21518
[13] https://security-tracker.debian.org/tracker/CVE-2025-21519
https://www.cve.org/CVERecord?id=CVE-2025-21519
[14] https://security-tracker.debian.org/tracker/CVE-2025-21520
https://www.cve.org/CVERecord?id=CVE-2025-21520
[15] https://security-tracker.debian.org/tracker/CVE-2025-21522
https://www.cve.org/CVERecord?id=CVE-2025-21522
[16] https://security-tracker.debian.org/tracker/CVE-2025-21523
https://www.cve.org/CVERecord?id=CVE-2025-21523
[17] https://security-tracker.debian.org/tracker/CVE-2025-21529
https://www.cve.org/CVERecord?id=CVE-2025-21529
[18] https://security-tracker.debian.org/tracker/CVE-2025-21531
https://www.cve.org/CVERecord?id=CVE-2025-21531
Please adjust the affected versions in the BTS as needed.
More information about the pkg-mysql-maint
mailing list