0
点赞
收藏
分享

微信扫一扫

MySQL Connectors组件8.0.12及之前版本的Connector/J子组件存在安全漏洞及其相关性分析

今天我把自己的SpringBoot项目上传到了GitHub,于是murphysec安全扫描平台扫描到了我的代码安全问题,如下

漏洞标题:Oracle MySQL Connectors组件访问控制错误漏洞
漏洞编号:CVE-2018-3258
漏洞描述:
Oracle MySQL是美国甲骨文(Oracle)公司的一套开源的关系数据库管理系统。该数据库系统具有性能高、成本低、可靠性好等特点。MySQL Connectors是其中的一个连接使用MySQL的应用程序的驱动程序。
Oracle MySQL中的MySQL Connectors组件8.0.12及之前版本的Connector/J子组件存在安全漏洞。攻击者可利用该漏洞控制组件,影响数据的保密性、完整性和可用性。
国家漏洞库信息:https://www.cnvd.org.cn/flaw/show/CNVD-2019-39877
漏洞级别:高危
影响范围:(-∞, 8.0.13)
最小修复版本:8.0.13
引入路径:mysql:mysql-connector-java@


国家漏洞库信息:https://www.cnvd.org.cn/flaw/show/CNVD-2019-39877

具体漏洞信息:NVD - CVE-2021-2471

上述话翻译成人话就是:Oracle MySQL的MySQL连接器产品(组件:Connector/J)存在漏洞。受影响的支持版本为8.0.26及之前的版本。难以利用的漏洞允许具有网络访问权的高权限攻击者通过多种协议破坏MySQL连接器。成功攻击该漏洞可导致未经授权访问关键数据或完全访问所有MySQL连接器的可访问数据,以及未经授权导致MySQL连接器挂起或经常重复崩溃(完全DOS)的能力。

Oracle MySQL 的Connector/J JDBC驱动 < 8.0.27版本在处理XML数据时存在外部实体注入漏洞(XXE),可能导致敏感数据泄漏。 漏洞原因: MySQL Connector/J 8.0.27版本之前,MysqlSQLXML中的getSource()方法未对传入的XML数据做校验,导致攻击者可以在XML数据中引入外部实体,造成XXE攻击。


为此我还找到了近些年(2018年)漏洞排行Oracle MySQL Risk Matrix,        此Connector/J漏洞排行第三

原漏洞排行链接:Oracle Critical Patch Update - October 2018

CVE#ProductComponentProtocolRemote Exploit without Auth.?CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base ScoreAttack VectorAttack ComplexPrivs­Req'dUser InteractScopeConfid­entialityInte­grityAvail­ability
CVE-2018-11776MySQL Enterprise MonitorMonitoring: General (Apache Struts 2)HTTPYes9.8NetworkLowNoneNoneUn- changedHighHighHigh3.4.9.4237 and prior, 4.0.6.5281 and prior, 8.0.2.8191 and prior
CVE-2018-8014MySQL Enterprise MonitorMonitoring: General (Apache Tomcat)HTTPYes9.8NetworkLowNoneNoneUn- changedHighHighHigh3.4.9.4237 and prior, 4.0.6.5281 and prior, 8.0.2.8191 and prior
CVE-2018-3258MySQL ConnectorsConnector/JX ProtocolNo8.8NetworkLowLowNoneUn- changedHighHighHigh8.0.12 and prior
CVE-2018-1258MySQL Enterprise MonitorMonitoring: General (Spring Framework)HTTPNo8.8NetworkLowLowNoneUn- changedHighHighHigh3.4.9.4237 and prior, 4.0.6.5281 and prior, 8.0.2.8191 and prior
CVE-2016-9843MySQL ServerInnoDB (zlib)MySQL ProtocolNo8.8NetworkLowLowNoneUn- changedHighHighHigh5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3155MySQL ServerServer: ParserMySQL ProtocolNo7.7NetworkLowLowNoneChangedNoneNoneHigh5.7.23 and prior, 8.0.12 and prior
CVE-2018-3143MySQL ServerInnoDBMySQL ProtocolNo6.5NetworkLowLowNoneUn- changedNoneNoneHigh5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3156MySQL ServerInnoDBMySQL ProtocolNo6.5NetworkLowLowNoneUn- changedNoneNoneHigh5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3251MySQL ServerInnoDBMySQL ProtocolNo6.5NetworkLowLowNoneUn- changedNoneNoneHigh5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3182MySQL ServerServer: DMLMySQL ProtocolNo6.5NetworkLowLowNoneUn- changedNoneNoneHigh8.0.12 and prior
CVE-2018-3137MySQL ServerServer: OptimizerMySQL ProtocolNo6.5NetworkLowLowNoneUn- changedNoneNoneHigh8.0.12 and prior
CVE-2018-3203MySQL ServerServer: OptimizerMySQL ProtocolNo6.5NetworkLowLowNoneUn- changedNoneNoneHigh8.0.12 and prior
CVE-2018-3133MySQL ServerServer: ParserMySQL ProtocolNo6.5NetworkLowLowNoneUn- changedNoneNoneHigh5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3145MySQL ServerServer: ParserMySQL ProtocolNo6.5NetworkLowLowNoneUn- changedNoneNoneHigh8.0.12 and prior
CVE-2018-3144MySQL ServerServer: Security: AuditMySQL ProtocolYes5.9NetworkHighNoneNoneUn- changedNoneNoneHigh5.7.23 and prior, 8.0.12 and prior
CVE-2018-3185MySQL ServerInnoDBMySQL ProtocolNo5.5NetworkLowHighNoneUn- changedNoneLowHigh5.7.23 and prior, 8.0.12 and prior
CVE-2018-3195MySQL ServerServer: DDLMySQL ProtocolNo5.5NetworkLowHighNoneUn- changedNoneLowHigh8.0.12 and prior
CVE-2018-3247MySQL ServerServer: MergeMySQL ProtocolNo5.5NetworkLowHighNoneUn- changedNoneLowHigh5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3187MySQL ServerServer: OptimizerMySQL ProtocolNo5.5NetworkLowHighNoneUn- changedNoneLowHigh5.7.23 and prior, 8.0.12 and prior
CVE-2018-3174MySQL ServerClient programsMySQL ProtocolNo5.3LocalHighHighNoneChangedNoneNoneHigh5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3171MySQL ServerServer: PartitionMySQL ProtocolNo5.0NetworkHighHighNoneUn- changedNoneLowHigh5.7.23 and prior, 8.0.12 and prior
CVE-2018-3277MySQL ServerInnoDBMySQL ProtocolNo4.9NetworkLowHighNoneUn- changedNoneNoneHigh5.7.23 and prior, 8.0.12 and prior
CVE-2018-3162MySQL ServerInnoDBMySQL ProtocolNo4.9NetworkLowHighNoneUn- changedNoneNoneHigh5.7.23 and prior, 8.0.12 and prior
CVE-2018-3173MySQL ServerInnoDBMySQL ProtocolNo4.9NetworkLowHighNoneUn- changedNoneNoneHigh5.7.23 and prior, 8.0.12 and prior
CVE-2018-3200MySQL ServerInnoDBMySQL ProtocolNo4.9NetworkLowHighNoneUn- changedNoneNoneHigh5.7.23 and prior, 8.0.12 and prior
CVE-2018-3170MySQL ServerServer: DDLMySQL ProtocolNo4.9NetworkLowHighNoneUn- changedNoneNoneHigh8.0.12 and prior
CVE-2018-3212MySQL ServerServer: Information SchemaMySQL ProtocolNo4.9NetworkLowHighNoneUn- changedNoneNoneHigh8.0.12 and prior
CVE-2018-3280MySQL ServerServer: JSONMySQL ProtocolNo4.9NetworkLowHighNoneUn- changedNoneNoneHigh8.0.12 and prior
CVE-2018-3276MySQL ServerServer: MemcachedMySQL ProtocolNo4.9NetworkLowHighNoneUn- changedNoneNoneHigh5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3186MySQL ServerServer: OptimizerMySQL ProtocolNo4.9NetworkLowHighNoneUn- changedNoneNoneHigh8.0.12 and prior
CVE-2018-3161MySQL ServerServer: PartitionMySQL ProtocolNo4.9NetworkLowHighNoneUn- changedNoneNoneHigh5.7.23 and prior, 8.0.12 and prior
CVE-2018-3278MySQL ServerServer: RBRMySQL ProtocolNo4.9NetworkLowHighNoneUn- changedNoneNoneHigh5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3279MySQL ServerServer: Security: RolesMySQL ProtocolNo4.9NetworkLowHighNoneUn- changedNoneNoneHigh8.0.12 and prior
CVE-2018-3282MySQL ServerServer: Storage EnginesMySQL ProtocolNo4.9NetworkLowHighNoneUn- changedNoneNoneHigh5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3285MySQL ServerServer: WindowsMySQL ProtocolNo4.9NetworkLowHighNoneUn- changedNoneNoneHigh8.0.12 and prior
CVE-2018-3284MySQL ServerInnoDBMySQL ProtocolNo4.4NetworkHighHighNoneUn- changedNoneNoneHigh5.7.23 and prior, 8.0.12 and prior
CVE-2018-3283MySQL ServerServer: LoggingMySQL ProtocolNo4.4NetworkHighHighNoneUn- changedNoneNoneHigh5.7.23 and prior, 8.0.12 and prior
CVE-2018-3286MySQL ServerServer: Security: PrivilegesMySQL ProtocolNo4.3NetworkLowLowNoneUn- changedNoneLowNone8.0.12 and prior
举报

相关推荐

0 条评论