Update Vulnerabilities list
Indenting mysqltuner Update Usage information
This commit is contained in:
Jean-Marie RENOUARD
parent
1e9920b545
commit
645e034efd
1 changed files with 68 additions and 0 deletions
|
|
@ -1444,12 +1444,56 @@
|
||||||
5.7.33;5;7;33;CVE-2021-2307;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Packaging). Supported versions that are affected are 5.7.33 and prior and 8.0.23 and prior. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data as well as unauthorized update; insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210513-0002/ | MISC:https://www.oracle.com/security-alerts/cpuapr2021.html | URL:https://www.oracle.com/security-alerts/cpuapr2021.html";Assigned (20201209);"None (candidate not yet proposed)";""
|
5.7.33;5;7;33;CVE-2021-2307;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Packaging). Supported versions that are affected are 5.7.33 and prior and 8.0.23 and prior. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data as well as unauthorized update; insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210513-0002/ | MISC:https://www.oracle.com/security-alerts/cpuapr2021.html | URL:https://www.oracle.com/security-alerts/cpuapr2021.html";Assigned (20201209);"None (candidate not yet proposed)";""
|
||||||
8.0.23;8;0;23;CVE-2021-2307;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Packaging). Supported versions that are affected are 5.7.33 and prior and 8.0.23 and prior. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data as well as unauthorized update; insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210513-0002/ | MISC:https://www.oracle.com/security-alerts/cpuapr2021.html | URL:https://www.oracle.com/security-alerts/cpuapr2021.html";Assigned (20201209);"None (candidate not yet proposed)";""
|
8.0.23;8;0;23;CVE-2021-2307;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Packaging). Supported versions that are affected are 5.7.33 and prior and 8.0.23 and prior. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data as well as unauthorized update; insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210513-0002/ | MISC:https://www.oracle.com/security-alerts/cpuapr2021.html | URL:https://www.oracle.com/security-alerts/cpuapr2021.html";Assigned (20201209);"None (candidate not yet proposed)";""
|
||||||
8.0.23;8;0;23;CVE-2021-2308;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 2.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210513-0002/ | MISC:https://www.oracle.com/security-alerts/cpuapr2021.html | URL:https://www.oracle.com/security-alerts/cpuapr2021.html";Assigned (20201209);"None (candidate not yet proposed)";""
|
8.0.23;8;0;23;CVE-2021-2308;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 2.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210513-0002/ | MISC:https://www.oracle.com/security-alerts/cpuapr2021.html | URL:https://www.oracle.com/security-alerts/cpuapr2021.html";Assigned (20201209);"None (candidate not yet proposed)";""
|
||||||
|
8.0.25;8;0;25;CVE-2021-2339;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";""
|
||||||
|
8.0.25;8;0;25;CVE-2021-2340;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Memcached). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 2.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";""
|
||||||
|
5.7.34;5;7;34;CVE-2021-2342;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";""
|
||||||
|
8.0.25;8;0;25;CVE-2021-2342;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";""
|
||||||
|
8.0.25;8;0;25;CVE-2021-2352;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";""
|
||||||
|
8.0.25;8;0;25;CVE-2021-2354;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Federated). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";""
|
||||||
|
5.7.34;5;7;34;CVE-2021-2356;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update; insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.9 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";""
|
||||||
|
8.0.25;8;0;25;CVE-2021-2356;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update; insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.9 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";""
|
||||||
|
8.0.25;8;0;25;CVE-2021-2357;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";""
|
||||||
|
8.0.25;8;0;25;CVE-2021-2367;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";""
|
||||||
|
8.0.25;8;0;25;CVE-2021-2370;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";""
|
||||||
|
5.7.34;5;7;34;CVE-2021-2372;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";""
|
||||||
|
8.0.25;8;0;25;CVE-2021-2372;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";""
|
||||||
|
8.0.25;8;0;25;CVE-2021-2374;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.25 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. CVSS 3.1 Base Score 4.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";""
|
||||||
|
8.0.25;8;0;25;CVE-2021-2383;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";""
|
||||||
|
8.0.25;8;0;25;CVE-2021-2384;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";""
|
||||||
|
5.7.34;5;7;34;CVE-2021-2385;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update; insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.0 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";""
|
||||||
|
8.0.25;8;0;25;CVE-2021-2385;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update; insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.0 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";""
|
||||||
|
8.0.25;8;0;25;CVE-2021-2387;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";""
|
||||||
|
5.7.34;5;7;34;CVE-2021-2389;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.zerodayinitiative.com/advisories/ZDI-21-880/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";""
|
||||||
|
8.0.25;8;0;25;CVE-2021-2389;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.zerodayinitiative.com/advisories/ZDI-21-880/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";""
|
||||||
|
5.7.34;5;7;34;CVE-2021-2390;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.zerodayinitiative.com/advisories/ZDI-21-881/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";""
|
||||||
|
8.0.25;8;0;25;CVE-2021-2390;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.zerodayinitiative.com/advisories/ZDI-21-881/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";""
|
||||||
|
8.0.25;8;0;25;CVE-2021-2399;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";""
|
||||||
|
8.0.25;8;0;25;CVE-2021-2402;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Locking). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";""
|
||||||
|
8.0.25;8;0;25;CVE-2021-2410;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";""
|
||||||
|
8.0.21;8;0;21;CVE-2021-2412;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";""
|
||||||
|
8.0.25;8;0;25;CVE-2021-2417;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: GIS). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update; insert or delete access to some of MySQL Server accessible data and unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality; Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";""
|
||||||
|
8.0.25;8;0;25;CVE-2021-2418;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";""
|
||||||
|
8.0.25;8;0;25;CVE-2021-2422;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: PS). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";""
|
||||||
|
8.0.25;8;0;25;CVE-2021-2424;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";""
|
||||||
|
8.0.25;8;0;25;CVE-2021-2425;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";""
|
||||||
|
8.0.25;8;0;25;CVE-2021-2426;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";""
|
||||||
|
8.0.25;8;0;25;CVE-2021-2427;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";""
|
||||||
|
8.0.25;8;0;25;CVE-2021-2429;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.25 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.zerodayinitiative.com/advisories/ZDI-21-889/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";""
|
||||||
|
8.0.25;8;0;25;CVE-2021-2437;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";""
|
||||||
|
8.0.25;8;0;25;CVE-2021-2440;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";""
|
||||||
|
8.0.25;8;0;25;CVE-2021-2441;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";""
|
||||||
|
8.0.23;8;0;23;CVE-2021-2444;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";""
|
||||||
0.20.2;0;20;2;CVE-2021-26919;Candidate;"Apache Druid allows users to read data from other database systems using JDBC. This functionality is to allow trusted users with the proper permissions to set up lookups or submit ingestion tasks. The MySQL JDBC driver supports certain properties; which; if left unmitigated; can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Druid server processes. This issue was addressed in Apache Druid 0.20.2";"MISC:https://lists.apache.org/thread.html/rd87451fce34df54796e66321c40d743a68fb4553d72e7f6f0bc62ebd%40%3Cdev.druid.apache.org%3E | URL:https://lists.apache.org/thread.html/rd87451fce34df54796e66321c40d743a68fb4553d72e7f6f0bc62ebd%40%3Cdev.druid.apache.org%3E | MLIST:[druid-commits] 20210401 [GitHub] [druid] jihoonson merged pull request #11047: Allow list for JDBC connection properties to address CVE-2021-26919 | URL:https://lists.apache.org/thread.html/re0910cf4c784897774427fecd95912fb565a6bd06d924a55e70bbbfc@%3Ccommits.druid.apache.org%3E | MLIST:[druid-commits] 20210412 [GitHub] [druid] jihoonson merged pull request #11100: [Backport] Allow list for JDBC connection properties to address CVE-2021-26919 | URL:https://lists.apache.org/thread.html/r6bc68264170046448f823d12c17fd1fd875251d97d60869f58709872@%3Ccommits.druid.apache.org%3E | MLIST:[druid-commits] 20210412 [GitHub] [druid] jihoonson opened a new pull request #11100: [Backport] Allow list for JDBC connection properties to address CVE-2021-26919 | URL:https://lists.apache.org/thread.html/r7a531ec123570cb7875ff991cf115f99e9ef99a48b3cf3fa4f9d9864@%3Ccommits.druid.apache.org%3E | MLIST:[druid-dev] 20210331 Regarding the 0.21.0 release | URL:https://lists.apache.org/thread.html/r443e2916c612fbd119839c0fc0729327d6031913a75081adac5b43ad@%3Cdev.druid.apache.org%3E | MLIST:[druid-dev] 20210401 Re: Subject: [CVE-2021-26919] Authenticated users can execute arbitrary code from malicious MySQL database systems | URL:https://lists.apache.org/thread.html/re4c5deb0aae4bace69844d15c9fd1699e907ebfee93bc3926474d110@%3Cdev.druid.apache.org%3E | MLIST:[druid-dev] 20210405 Re: Regarding the CVSS score for CVE-2021-26919 | URL:https://lists.apache.org/thread.html/r470f8c92eb5df45f41b3ae609b6315b6c5ff51b3ceb2f09f00ca620f@%3Cdev.druid.apache.org%3E | MLIST:[druid-dev] 20210405 Regarding the CVSS score for CVE-2021-26919 | URL:https://lists.apache.org/thread.html/ra85fa7d31f9bec1148ffd2e4030934927caa8bff89bca9f61f75e697@%3Cdev.druid.apache.org%3E | MLIST:[druid-dev] 20210414 Re: Regarding the CVSS score for CVE-2021-26919 | URL:https://lists.apache.org/thread.html/rf3ea2a4018e87e6c45d36cf8479af7727dcc276edabd2f7cf59e0c5f@%3Cdev.druid.apache.org%3E";Assigned (20210209);"None (candidate not yet proposed)";""
|
0.20.2;0;20;2;CVE-2021-26919;Candidate;"Apache Druid allows users to read data from other database systems using JDBC. This functionality is to allow trusted users with the proper permissions to set up lookups or submit ingestion tasks. The MySQL JDBC driver supports certain properties; which; if left unmitigated; can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Druid server processes. This issue was addressed in Apache Druid 0.20.2";"MISC:https://lists.apache.org/thread.html/rd87451fce34df54796e66321c40d743a68fb4553d72e7f6f0bc62ebd%40%3Cdev.druid.apache.org%3E | URL:https://lists.apache.org/thread.html/rd87451fce34df54796e66321c40d743a68fb4553d72e7f6f0bc62ebd%40%3Cdev.druid.apache.org%3E | MLIST:[druid-commits] 20210401 [GitHub] [druid] jihoonson merged pull request #11047: Allow list for JDBC connection properties to address CVE-2021-26919 | URL:https://lists.apache.org/thread.html/re0910cf4c784897774427fecd95912fb565a6bd06d924a55e70bbbfc@%3Ccommits.druid.apache.org%3E | MLIST:[druid-commits] 20210412 [GitHub] [druid] jihoonson merged pull request #11100: [Backport] Allow list for JDBC connection properties to address CVE-2021-26919 | URL:https://lists.apache.org/thread.html/r6bc68264170046448f823d12c17fd1fd875251d97d60869f58709872@%3Ccommits.druid.apache.org%3E | MLIST:[druid-commits] 20210412 [GitHub] [druid] jihoonson opened a new pull request #11100: [Backport] Allow list for JDBC connection properties to address CVE-2021-26919 | URL:https://lists.apache.org/thread.html/r7a531ec123570cb7875ff991cf115f99e9ef99a48b3cf3fa4f9d9864@%3Ccommits.druid.apache.org%3E | MLIST:[druid-dev] 20210331 Regarding the 0.21.0 release | URL:https://lists.apache.org/thread.html/r443e2916c612fbd119839c0fc0729327d6031913a75081adac5b43ad@%3Cdev.druid.apache.org%3E | MLIST:[druid-dev] 20210401 Re: Subject: [CVE-2021-26919] Authenticated users can execute arbitrary code from malicious MySQL database systems | URL:https://lists.apache.org/thread.html/re4c5deb0aae4bace69844d15c9fd1699e907ebfee93bc3926474d110@%3Cdev.druid.apache.org%3E | MLIST:[druid-dev] 20210405 Re: Regarding the CVSS score for CVE-2021-26919 | URL:https://lists.apache.org/thread.html/r470f8c92eb5df45f41b3ae609b6315b6c5ff51b3ceb2f09f00ca620f@%3Cdev.druid.apache.org%3E | MLIST:[druid-dev] 20210405 Regarding the CVSS score for CVE-2021-26919 | URL:https://lists.apache.org/thread.html/ra85fa7d31f9bec1148ffd2e4030934927caa8bff89bca9f61f75e697@%3Cdev.druid.apache.org%3E | MLIST:[druid-dev] 20210414 Re: Regarding the CVSS score for CVE-2021-26919 | URL:https://lists.apache.org/thread.html/rf3ea2a4018e87e6c45d36cf8479af7727dcc276edabd2f7cf59e0c5f@%3Cdev.druid.apache.org%3E";Assigned (20210209);"None (candidate not yet proposed)";""
|
||||||
0.21.0;0;21;0;CVE-2021-26919;Candidate;"Apache Druid allows users to read data from other database systems using JDBC. This functionality is to allow trusted users with the proper permissions to set up lookups or submit ingestion tasks. The MySQL JDBC driver supports certain properties; which; if left unmitigated; can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Druid server processes. This issue was addressed in Apache Druid 0.20.2";"MISC:https://lists.apache.org/thread.html/rd87451fce34df54796e66321c40d743a68fb4553d72e7f6f0bc62ebd%40%3Cdev.druid.apache.org%3E | URL:https://lists.apache.org/thread.html/rd87451fce34df54796e66321c40d743a68fb4553d72e7f6f0bc62ebd%40%3Cdev.druid.apache.org%3E | MLIST:[druid-commits] 20210401 [GitHub] [druid] jihoonson merged pull request #11047: Allow list for JDBC connection properties to address CVE-2021-26919 | URL:https://lists.apache.org/thread.html/re0910cf4c784897774427fecd95912fb565a6bd06d924a55e70bbbfc@%3Ccommits.druid.apache.org%3E | MLIST:[druid-commits] 20210412 [GitHub] [druid] jihoonson merged pull request #11100: [Backport] Allow list for JDBC connection properties to address CVE-2021-26919 | URL:https://lists.apache.org/thread.html/r6bc68264170046448f823d12c17fd1fd875251d97d60869f58709872@%3Ccommits.druid.apache.org%3E | MLIST:[druid-commits] 20210412 [GitHub] [druid] jihoonson opened a new pull request #11100: [Backport] Allow list for JDBC connection properties to address CVE-2021-26919 | URL:https://lists.apache.org/thread.html/r7a531ec123570cb7875ff991cf115f99e9ef99a48b3cf3fa4f9d9864@%3Ccommits.druid.apache.org%3E | MLIST:[druid-dev] 20210331 Regarding the 0.21.0 release | URL:https://lists.apache.org/thread.html/r443e2916c612fbd119839c0fc0729327d6031913a75081adac5b43ad@%3Cdev.druid.apache.org%3E | MLIST:[druid-dev] 20210401 Re: Subject: [CVE-2021-26919] Authenticated users can execute arbitrary code from malicious MySQL database systems | URL:https://lists.apache.org/thread.html/re4c5deb0aae4bace69844d15c9fd1699e907ebfee93bc3926474d110@%3Cdev.druid.apache.org%3E | MLIST:[druid-dev] 20210405 Re: Regarding the CVSS score for CVE-2021-26919 | URL:https://lists.apache.org/thread.html/r470f8c92eb5df45f41b3ae609b6315b6c5ff51b3ceb2f09f00ca620f@%3Cdev.druid.apache.org%3E | MLIST:[druid-dev] 20210405 Regarding the CVSS score for CVE-2021-26919 | URL:https://lists.apache.org/thread.html/ra85fa7d31f9bec1148ffd2e4030934927caa8bff89bca9f61f75e697@%3Cdev.druid.apache.org%3E | MLIST:[druid-dev] 20210414 Re: Regarding the CVSS score for CVE-2021-26919 | URL:https://lists.apache.org/thread.html/rf3ea2a4018e87e6c45d36cf8479af7727dcc276edabd2f7cf59e0c5f@%3Cdev.druid.apache.org%3E";Assigned (20210209);"None (candidate not yet proposed)";""
|
0.21.0;0;21;0;CVE-2021-26919;Candidate;"Apache Druid allows users to read data from other database systems using JDBC. This functionality is to allow trusted users with the proper permissions to set up lookups or submit ingestion tasks. The MySQL JDBC driver supports certain properties; which; if left unmitigated; can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Druid server processes. This issue was addressed in Apache Druid 0.20.2";"MISC:https://lists.apache.org/thread.html/rd87451fce34df54796e66321c40d743a68fb4553d72e7f6f0bc62ebd%40%3Cdev.druid.apache.org%3E | URL:https://lists.apache.org/thread.html/rd87451fce34df54796e66321c40d743a68fb4553d72e7f6f0bc62ebd%40%3Cdev.druid.apache.org%3E | MLIST:[druid-commits] 20210401 [GitHub] [druid] jihoonson merged pull request #11047: Allow list for JDBC connection properties to address CVE-2021-26919 | URL:https://lists.apache.org/thread.html/re0910cf4c784897774427fecd95912fb565a6bd06d924a55e70bbbfc@%3Ccommits.druid.apache.org%3E | MLIST:[druid-commits] 20210412 [GitHub] [druid] jihoonson merged pull request #11100: [Backport] Allow list for JDBC connection properties to address CVE-2021-26919 | URL:https://lists.apache.org/thread.html/r6bc68264170046448f823d12c17fd1fd875251d97d60869f58709872@%3Ccommits.druid.apache.org%3E | MLIST:[druid-commits] 20210412 [GitHub] [druid] jihoonson opened a new pull request #11100: [Backport] Allow list for JDBC connection properties to address CVE-2021-26919 | URL:https://lists.apache.org/thread.html/r7a531ec123570cb7875ff991cf115f99e9ef99a48b3cf3fa4f9d9864@%3Ccommits.druid.apache.org%3E | MLIST:[druid-dev] 20210331 Regarding the 0.21.0 release | URL:https://lists.apache.org/thread.html/r443e2916c612fbd119839c0fc0729327d6031913a75081adac5b43ad@%3Cdev.druid.apache.org%3E | MLIST:[druid-dev] 20210401 Re: Subject: [CVE-2021-26919] Authenticated users can execute arbitrary code from malicious MySQL database systems | URL:https://lists.apache.org/thread.html/re4c5deb0aae4bace69844d15c9fd1699e907ebfee93bc3926474d110@%3Cdev.druid.apache.org%3E | MLIST:[druid-dev] 20210405 Re: Regarding the CVSS score for CVE-2021-26919 | URL:https://lists.apache.org/thread.html/r470f8c92eb5df45f41b3ae609b6315b6c5ff51b3ceb2f09f00ca620f@%3Cdev.druid.apache.org%3E | MLIST:[druid-dev] 20210405 Regarding the CVSS score for CVE-2021-26919 | URL:https://lists.apache.org/thread.html/ra85fa7d31f9bec1148ffd2e4030934927caa8bff89bca9f61f75e697@%3Cdev.druid.apache.org%3E | MLIST:[druid-dev] 20210414 Re: Regarding the CVSS score for CVE-2021-26919 | URL:https://lists.apache.org/thread.html/rf3ea2a4018e87e6c45d36cf8479af7727dcc276edabd2f7cf59e0c5f@%3Cdev.druid.apache.org%3E";Assigned (20210209);"None (candidate not yet proposed)";""
|
||||||
10.2.36;10;2;36;CVE-2021-27928;Candidate;"A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37; 10.3 before 10.3.28; 10.4 before 10.4.18; and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An untrusted search path leads to eval injection; in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an Oracle product.";"GENTOO:GLSA-202105-28 | URL:https://security.gentoo.org/glsa/202105-28 | MISC:http://packetstormsecurity.com/files/162177/MariaDB-10.2-Command-Execution.html | MISC:https://jira.mariadb.org/browse/MDEV-25179 | MISC:https://mariadb.com/kb/en/mariadb-10237-release-notes/ | MISC:https://mariadb.com/kb/en/mariadb-10328-release-notes/ | MISC:https://mariadb.com/kb/en/mariadb-10418-release-notes/ | MISC:https://mariadb.com/kb/en/mariadb-1059-release-notes/ | MISC:https://mariadb.com/kb/en/security/ | MLIST:[debian-lts-announce] 20210323 [SECURITY] [DLA 2605-1] mariadb-10.1 security update | URL:https://lists.debian.org/debian-lts-announce/2021/03/msg00028.html";Assigned (20210303);"None (candidate not yet proposed)";""
|
10.2.36;10;2;36;CVE-2021-27928;Candidate;"A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37; 10.3 before 10.3.28; 10.4 before 10.4.18; and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An untrusted search path leads to eval injection; in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an Oracle product.";"GENTOO:GLSA-202105-28 | URL:https://security.gentoo.org/glsa/202105-28 | MISC:http://packetstormsecurity.com/files/162177/MariaDB-10.2-Command-Execution.html | MISC:https://jira.mariadb.org/browse/MDEV-25179 | MISC:https://mariadb.com/kb/en/mariadb-10237-release-notes/ | MISC:https://mariadb.com/kb/en/mariadb-10328-release-notes/ | MISC:https://mariadb.com/kb/en/mariadb-10418-release-notes/ | MISC:https://mariadb.com/kb/en/mariadb-1059-release-notes/ | MISC:https://mariadb.com/kb/en/security/ | MLIST:[debian-lts-announce] 20210323 [SECURITY] [DLA 2605-1] mariadb-10.1 security update | URL:https://lists.debian.org/debian-lts-announce/2021/03/msg00028.html";Assigned (20210303);"None (candidate not yet proposed)";""
|
||||||
10.3.27;10;3;27;CVE-2021-27928;Candidate;"A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37; 10.3 before 10.3.28; 10.4 before 10.4.18; and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An untrusted search path leads to eval injection; in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an Oracle product.";"GENTOO:GLSA-202105-28 | URL:https://security.gentoo.org/glsa/202105-28 | MISC:http://packetstormsecurity.com/files/162177/MariaDB-10.2-Command-Execution.html | MISC:https://jira.mariadb.org/browse/MDEV-25179 | MISC:https://mariadb.com/kb/en/mariadb-10237-release-notes/ | MISC:https://mariadb.com/kb/en/mariadb-10328-release-notes/ | MISC:https://mariadb.com/kb/en/mariadb-10418-release-notes/ | MISC:https://mariadb.com/kb/en/mariadb-1059-release-notes/ | MISC:https://mariadb.com/kb/en/security/ | MLIST:[debian-lts-announce] 20210323 [SECURITY] [DLA 2605-1] mariadb-10.1 security update | URL:https://lists.debian.org/debian-lts-announce/2021/03/msg00028.html";Assigned (20210303);"None (candidate not yet proposed)";""
|
10.3.27;10;3;27;CVE-2021-27928;Candidate;"A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37; 10.3 before 10.3.28; 10.4 before 10.4.18; and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An untrusted search path leads to eval injection; in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an Oracle product.";"GENTOO:GLSA-202105-28 | URL:https://security.gentoo.org/glsa/202105-28 | MISC:http://packetstormsecurity.com/files/162177/MariaDB-10.2-Command-Execution.html | MISC:https://jira.mariadb.org/browse/MDEV-25179 | MISC:https://mariadb.com/kb/en/mariadb-10237-release-notes/ | MISC:https://mariadb.com/kb/en/mariadb-10328-release-notes/ | MISC:https://mariadb.com/kb/en/mariadb-10418-release-notes/ | MISC:https://mariadb.com/kb/en/mariadb-1059-release-notes/ | MISC:https://mariadb.com/kb/en/security/ | MLIST:[debian-lts-announce] 20210323 [SECURITY] [DLA 2605-1] mariadb-10.1 security update | URL:https://lists.debian.org/debian-lts-announce/2021/03/msg00028.html";Assigned (20210303);"None (candidate not yet proposed)";""
|
||||||
10.4.17;10;4;17;CVE-2021-27928;Candidate;"A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37; 10.3 before 10.3.28; 10.4 before 10.4.18; and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An untrusted search path leads to eval injection; in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an Oracle product.";"GENTOO:GLSA-202105-28 | URL:https://security.gentoo.org/glsa/202105-28 | MISC:http://packetstormsecurity.com/files/162177/MariaDB-10.2-Command-Execution.html | MISC:https://jira.mariadb.org/browse/MDEV-25179 | MISC:https://mariadb.com/kb/en/mariadb-10237-release-notes/ | MISC:https://mariadb.com/kb/en/mariadb-10328-release-notes/ | MISC:https://mariadb.com/kb/en/mariadb-10418-release-notes/ | MISC:https://mariadb.com/kb/en/mariadb-1059-release-notes/ | MISC:https://mariadb.com/kb/en/security/ | MLIST:[debian-lts-announce] 20210323 [SECURITY] [DLA 2605-1] mariadb-10.1 security update | URL:https://lists.debian.org/debian-lts-announce/2021/03/msg00028.html";Assigned (20210303);"None (candidate not yet proposed)";""
|
10.4.17;10;4;17;CVE-2021-27928;Candidate;"A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37; 10.3 before 10.3.28; 10.4 before 10.4.18; and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An untrusted search path leads to eval injection; in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an Oracle product.";"GENTOO:GLSA-202105-28 | URL:https://security.gentoo.org/glsa/202105-28 | MISC:http://packetstormsecurity.com/files/162177/MariaDB-10.2-Command-Execution.html | MISC:https://jira.mariadb.org/browse/MDEV-25179 | MISC:https://mariadb.com/kb/en/mariadb-10237-release-notes/ | MISC:https://mariadb.com/kb/en/mariadb-10328-release-notes/ | MISC:https://mariadb.com/kb/en/mariadb-10418-release-notes/ | MISC:https://mariadb.com/kb/en/mariadb-1059-release-notes/ | MISC:https://mariadb.com/kb/en/security/ | MLIST:[debian-lts-announce] 20210323 [SECURITY] [DLA 2605-1] mariadb-10.1 security update | URL:https://lists.debian.org/debian-lts-announce/2021/03/msg00028.html";Assigned (20210303);"None (candidate not yet proposed)";""
|
||||||
10.5.8;10;5;8;CVE-2021-27928;Candidate;"A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37; 10.3 before 10.3.28; 10.4 before 10.4.18; and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An untrusted search path leads to eval injection; in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an Oracle product.";"GENTOO:GLSA-202105-28 | URL:https://security.gentoo.org/glsa/202105-28 | MISC:http://packetstormsecurity.com/files/162177/MariaDB-10.2-Command-Execution.html | MISC:https://jira.mariadb.org/browse/MDEV-25179 | MISC:https://mariadb.com/kb/en/mariadb-10237-release-notes/ | MISC:https://mariadb.com/kb/en/mariadb-10328-release-notes/ | MISC:https://mariadb.com/kb/en/mariadb-10418-release-notes/ | MISC:https://mariadb.com/kb/en/mariadb-1059-release-notes/ | MISC:https://mariadb.com/kb/en/security/ | MLIST:[debian-lts-announce] 20210323 [SECURITY] [DLA 2605-1] mariadb-10.1 security update | URL:https://lists.debian.org/debian-lts-announce/2021/03/msg00028.html";Assigned (20210303);"None (candidate not yet proposed)";""
|
10.5.8;10;5;8;CVE-2021-27928;Candidate;"A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37; 10.3 before 10.3.28; 10.4 before 10.4.18; and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An untrusted search path leads to eval injection; in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an Oracle product.";"GENTOO:GLSA-202105-28 | URL:https://security.gentoo.org/glsa/202105-28 | MISC:http://packetstormsecurity.com/files/162177/MariaDB-10.2-Command-Execution.html | MISC:https://jira.mariadb.org/browse/MDEV-25179 | MISC:https://mariadb.com/kb/en/mariadb-10237-release-notes/ | MISC:https://mariadb.com/kb/en/mariadb-10328-release-notes/ | MISC:https://mariadb.com/kb/en/mariadb-10418-release-notes/ | MISC:https://mariadb.com/kb/en/mariadb-1059-release-notes/ | MISC:https://mariadb.com/kb/en/security/ | MLIST:[debian-lts-announce] 20210323 [SECURITY] [DLA 2605-1] mariadb-10.1 security update | URL:https://lists.debian.org/debian-lts-announce/2021/03/msg00028.html";Assigned (20210303);"None (candidate not yet proposed)";""
|
||||||
|
2.11.10;2;11;10;CVE-2021-32743;Candidate;"Icinga is a monitoring system which checks the availability of network resources; notifies users of outages; and generates performance data for reporting. In versions prior to 2.11.10 and from version 2.12.0 through version 2.12.4; some of the Icinga 2 features that require credentials for external services expose those credentials through the API to authenticated API users with read permissions for the corresponding object types. IdoMysqlConnection and IdoPgsqlConnection (every released version) exposes the password of the user used to connect to the database. IcingaDB (added in 2.12.0) exposes the password used to connect to the Redis server. ElasticsearchWriter (added in 2.8.0)exposes the password used to connect to the Elasticsearch server. An attacker who obtains these credentials can impersonate Icinga to these services and add; modify and delete information there. If credentials with more permissions are in use; this increases the impact accordingly. Starting with the 2.11.10 and 2.12.5 releases; these passwords are no longer exposed via the API. As a workaround; API user permissions can be restricted to not allow querying of any affected objects; either by explicitly listing only the required object types for object query permissions; or by applying a filter rule.";"CONFIRM:https://github.com/Icinga/icinga2/security/advisories/GHSA-wrpw-pmr8-qgj7 | URL:https://github.com/Icinga/icinga2/security/advisories/GHSA-wrpw-pmr8-qgj7 | MISC:https://icinga.com/blog/2021/07/15/releasing-icinga-2-12-5-and-2-11-10/ | URL:https://icinga.com/blog/2021/07/15/releasing-icinga-2-12-5-and-2-11-10/";Assigned (20210512);"None (candidate not yet proposed)";""
|
||||||
|
2.12.0;2;12;0;CVE-2021-32743;Candidate;"Icinga is a monitoring system which checks the availability of network resources; notifies users of outages; and generates performance data for reporting. In versions prior to 2.11.10 and from version 2.12.0 through version 2.12.4; some of the Icinga 2 features that require credentials for external services expose those credentials through the API to authenticated API users with read permissions for the corresponding object types. IdoMysqlConnection and IdoPgsqlConnection (every released version) exposes the password of the user used to connect to the database. IcingaDB (added in 2.12.0) exposes the password used to connect to the Redis server. ElasticsearchWriter (added in 2.8.0)exposes the password used to connect to the Elasticsearch server. An attacker who obtains these credentials can impersonate Icinga to these services and add; modify and delete information there. If credentials with more permissions are in use; this increases the impact accordingly. Starting with the 2.11.10 and 2.12.5 releases; these passwords are no longer exposed via the API. As a workaround; API user permissions can be restricted to not allow querying of any affected objects; either by explicitly listing only the required object types for object query permissions; or by applying a filter rule.";"CONFIRM:https://github.com/Icinga/icinga2/security/advisories/GHSA-wrpw-pmr8-qgj7 | URL:https://github.com/Icinga/icinga2/security/advisories/GHSA-wrpw-pmr8-qgj7 | MISC:https://icinga.com/blog/2021/07/15/releasing-icinga-2-12-5-and-2-11-10/ | URL:https://icinga.com/blog/2021/07/15/releasing-icinga-2-12-5-and-2-11-10/";Assigned (20210512);"None (candidate not yet proposed)";""
|
||||||
|
2.12.4;2;12;4;CVE-2021-32743;Candidate;"Icinga is a monitoring system which checks the availability of network resources; notifies users of outages; and generates performance data for reporting. In versions prior to 2.11.10 and from version 2.12.0 through version 2.12.4; some of the Icinga 2 features that require credentials for external services expose those credentials through the API to authenticated API users with read permissions for the corresponding object types. IdoMysqlConnection and IdoPgsqlConnection (every released version) exposes the password of the user used to connect to the database. IcingaDB (added in 2.12.0) exposes the password used to connect to the Redis server. ElasticsearchWriter (added in 2.8.0)exposes the password used to connect to the Elasticsearch server. An attacker who obtains these credentials can impersonate Icinga to these services and add; modify and delete information there. If credentials with more permissions are in use; this increases the impact accordingly. Starting with the 2.11.10 and 2.12.5 releases; these passwords are no longer exposed via the API. As a workaround; API user permissions can be restricted to not allow querying of any affected objects; either by explicitly listing only the required object types for object query permissions; or by applying a filter rule.";"CONFIRM:https://github.com/Icinga/icinga2/security/advisories/GHSA-wrpw-pmr8-qgj7 | URL:https://github.com/Icinga/icinga2/security/advisories/GHSA-wrpw-pmr8-qgj7 | MISC:https://icinga.com/blog/2021/07/15/releasing-icinga-2-12-5-and-2-11-10/ | URL:https://icinga.com/blog/2021/07/15/releasing-icinga-2-12-5-and-2-11-10/";Assigned (20210512);"None (candidate not yet proposed)";""
|
||||||
|
2.8.0;2;8;0;CVE-2021-32743;Candidate;"Icinga is a monitoring system which checks the availability of network resources; notifies users of outages; and generates performance data for reporting. In versions prior to 2.11.10 and from version 2.12.0 through version 2.12.4; some of the Icinga 2 features that require credentials for external services expose those credentials through the API to authenticated API users with read permissions for the corresponding object types. IdoMysqlConnection and IdoPgsqlConnection (every released version) exposes the password of the user used to connect to the database. IcingaDB (added in 2.12.0) exposes the password used to connect to the Redis server. ElasticsearchWriter (added in 2.8.0)exposes the password used to connect to the Elasticsearch server. An attacker who obtains these credentials can impersonate Icinga to these services and add; modify and delete information there. If credentials with more permissions are in use; this increases the impact accordingly. Starting with the 2.11.10 and 2.12.5 releases; these passwords are no longer exposed via the API. As a workaround; API user permissions can be restricted to not allow querying of any affected objects; either by explicitly listing only the required object types for object query permissions; or by applying a filter rule.";"CONFIRM:https://github.com/Icinga/icinga2/security/advisories/GHSA-wrpw-pmr8-qgj7 | URL:https://github.com/Icinga/icinga2/security/advisories/GHSA-wrpw-pmr8-qgj7 | MISC:https://icinga.com/blog/2021/07/15/releasing-icinga-2-12-5-and-2-11-10/ | URL:https://icinga.com/blog/2021/07/15/releasing-icinga-2-12-5-and-2-11-10/";Assigned (20210512);"None (candidate not yet proposed)";""
|
||||||
|
2.12.5;2;12;5;CVE-2021-32743;Candidate;"Icinga is a monitoring system which checks the availability of network resources; notifies users of outages; and generates performance data for reporting. In versions prior to 2.11.10 and from version 2.12.0 through version 2.12.4; some of the Icinga 2 features that require credentials for external services expose those credentials through the API to authenticated API users with read permissions for the corresponding object types. IdoMysqlConnection and IdoPgsqlConnection (every released version) exposes the password of the user used to connect to the database. IcingaDB (added in 2.12.0) exposes the password used to connect to the Redis server. ElasticsearchWriter (added in 2.8.0)exposes the password used to connect to the Elasticsearch server. An attacker who obtains these credentials can impersonate Icinga to these services and add; modify and delete information there. If credentials with more permissions are in use; this increases the impact accordingly. Starting with the 2.11.10 and 2.12.5 releases; these passwords are no longer exposed via the API. As a workaround; API user permissions can be restricted to not allow querying of any affected objects; either by explicitly listing only the required object types for object query permissions; or by applying a filter rule.";"CONFIRM:https://github.com/Icinga/icinga2/security/advisories/GHSA-wrpw-pmr8-qgj7 | URL:https://github.com/Icinga/icinga2/security/advisories/GHSA-wrpw-pmr8-qgj7 | MISC:https://icinga.com/blog/2021/07/15/releasing-icinga-2-12-5-and-2-11-10/ | URL:https://icinga.com/blog/2021/07/15/releasing-icinga-2-12-5-and-2-11-10/";Assigned (20210512);"None (candidate not yet proposed)";""
|
||||||
19.0.5;19;0;5;CVE-2021-33894;Candidate;"In Progress MOVEit Transfer before 2019.0.6 (11.0.6); 2019.1.x before 2019.1.5 (11.1.5); 2019.2.x before 2019.2.2 (11.2.2); 2020.x before 2020.0.5 (12.0.5); 2020.1.x before 2020.1.4 (12.1.4); and 2021.x before 2021.0.1 (13.0.1); a SQL injection vulnerability exists in SILUtility.vb in MOVEit.DMZ.WebApp in the MOVEit Transfer web app. This could allow an authenticated attacker to gain unauthorized access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database and/or execute SQL statements that alter or delete database elements.";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-June-2021 | MISC:https://www.progress.com/moveit";Assigned (20210606);"None (candidate not yet proposed)";""
|
19.0.5;19;0;5;CVE-2021-33894;Candidate;"In Progress MOVEit Transfer before 2019.0.6 (11.0.6); 2019.1.x before 2019.1.5 (11.1.5); 2019.2.x before 2019.2.2 (11.2.2); 2020.x before 2020.0.5 (12.0.5); 2020.1.x before 2020.1.4 (12.1.4); and 2021.x before 2021.0.1 (13.0.1); a SQL injection vulnerability exists in SILUtility.vb in MOVEit.DMZ.WebApp in the MOVEit Transfer web app. This could allow an authenticated attacker to gain unauthorized access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database and/or execute SQL statements that alter or delete database elements.";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-June-2021 | MISC:https://www.progress.com/moveit";Assigned (20210606);"None (candidate not yet proposed)";""
|
||||||
11.0.5;11;0;5;CVE-2021-33894;Candidate;"In Progress MOVEit Transfer before 2019.0.6 (11.0.6); 2019.1.x before 2019.1.5 (11.1.5); 2019.2.x before 2019.2.2 (11.2.2); 2020.x before 2020.0.5 (12.0.5); 2020.1.x before 2020.1.4 (12.1.4); and 2021.x before 2021.0.1 (13.0.1); a SQL injection vulnerability exists in SILUtility.vb in MOVEit.DMZ.WebApp in the MOVEit Transfer web app. This could allow an authenticated attacker to gain unauthorized access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database and/or execute SQL statements that alter or delete database elements.";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-June-2021 | MISC:https://www.progress.com/moveit";Assigned (20210606);"None (candidate not yet proposed)";""
|
11.0.5;11;0;5;CVE-2021-33894;Candidate;"In Progress MOVEit Transfer before 2019.0.6 (11.0.6); 2019.1.x before 2019.1.5 (11.1.5); 2019.2.x before 2019.2.2 (11.2.2); 2020.x before 2020.0.5 (12.0.5); 2020.1.x before 2020.1.4 (12.1.4); and 2021.x before 2021.0.1 (13.0.1); a SQL injection vulnerability exists in SILUtility.vb in MOVEit.DMZ.WebApp in the MOVEit Transfer web app. This could allow an authenticated attacker to gain unauthorized access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database and/or execute SQL statements that alter or delete database elements.";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-June-2021 | MISC:https://www.progress.com/moveit";Assigned (20210606);"None (candidate not yet proposed)";""
|
||||||
19.1.4;19;1;4;CVE-2021-33894;Candidate;"In Progress MOVEit Transfer before 2019.0.6 (11.0.6); 2019.1.x before 2019.1.5 (11.1.5); 2019.2.x before 2019.2.2 (11.2.2); 2020.x before 2020.0.5 (12.0.5); 2020.1.x before 2020.1.4 (12.1.4); and 2021.x before 2021.0.1 (13.0.1); a SQL injection vulnerability exists in SILUtility.vb in MOVEit.DMZ.WebApp in the MOVEit Transfer web app. This could allow an authenticated attacker to gain unauthorized access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database and/or execute SQL statements that alter or delete database elements.";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-June-2021 | MISC:https://www.progress.com/moveit";Assigned (20210606);"None (candidate not yet proposed)";""
|
19.1.4;19;1;4;CVE-2021-33894;Candidate;"In Progress MOVEit Transfer before 2019.0.6 (11.0.6); 2019.1.x before 2019.1.5 (11.1.5); 2019.2.x before 2019.2.2 (11.2.2); 2020.x before 2020.0.5 (12.0.5); 2020.1.x before 2020.1.4 (12.1.4); and 2021.x before 2021.0.1 (13.0.1); a SQL injection vulnerability exists in SILUtility.vb in MOVEit.DMZ.WebApp in the MOVEit Transfer web app. This could allow an authenticated attacker to gain unauthorized access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database and/or execute SQL statements that alter or delete database elements.";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-June-2021 | MISC:https://www.progress.com/moveit";Assigned (20210606);"None (candidate not yet proposed)";""
|
||||||
|
|
@ -1462,3 +1506,27 @@
|
||||||
12.1.3;12;1;3;CVE-2021-33894;Candidate;"In Progress MOVEit Transfer before 2019.0.6 (11.0.6); 2019.1.x before 2019.1.5 (11.1.5); 2019.2.x before 2019.2.2 (11.2.2); 2020.x before 2020.0.5 (12.0.5); 2020.1.x before 2020.1.4 (12.1.4); and 2021.x before 2021.0.1 (13.0.1); a SQL injection vulnerability exists in SILUtility.vb in MOVEit.DMZ.WebApp in the MOVEit Transfer web app. This could allow an authenticated attacker to gain unauthorized access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database and/or execute SQL statements that alter or delete database elements.";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-June-2021 | MISC:https://www.progress.com/moveit";Assigned (20210606);"None (candidate not yet proposed)";""
|
12.1.3;12;1;3;CVE-2021-33894;Candidate;"In Progress MOVEit Transfer before 2019.0.6 (11.0.6); 2019.1.x before 2019.1.5 (11.1.5); 2019.2.x before 2019.2.2 (11.2.2); 2020.x before 2020.0.5 (12.0.5); 2020.1.x before 2020.1.4 (12.1.4); and 2021.x before 2021.0.1 (13.0.1); a SQL injection vulnerability exists in SILUtility.vb in MOVEit.DMZ.WebApp in the MOVEit Transfer web app. This could allow an authenticated attacker to gain unauthorized access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database and/or execute SQL statements that alter or delete database elements.";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-June-2021 | MISC:https://www.progress.com/moveit";Assigned (20210606);"None (candidate not yet proposed)";""
|
||||||
21.0.0;21;0;0;CVE-2021-33894;Candidate;"In Progress MOVEit Transfer before 2019.0.6 (11.0.6); 2019.1.x before 2019.1.5 (11.1.5); 2019.2.x before 2019.2.2 (11.2.2); 2020.x before 2020.0.5 (12.0.5); 2020.1.x before 2020.1.4 (12.1.4); and 2021.x before 2021.0.1 (13.0.1); a SQL injection vulnerability exists in SILUtility.vb in MOVEit.DMZ.WebApp in the MOVEit Transfer web app. This could allow an authenticated attacker to gain unauthorized access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database and/or execute SQL statements that alter or delete database elements.";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-June-2021 | MISC:https://www.progress.com/moveit";Assigned (20210606);"None (candidate not yet proposed)";""
|
21.0.0;21;0;0;CVE-2021-33894;Candidate;"In Progress MOVEit Transfer before 2019.0.6 (11.0.6); 2019.1.x before 2019.1.5 (11.1.5); 2019.2.x before 2019.2.2 (11.2.2); 2020.x before 2020.0.5 (12.0.5); 2020.1.x before 2020.1.4 (12.1.4); and 2021.x before 2021.0.1 (13.0.1); a SQL injection vulnerability exists in SILUtility.vb in MOVEit.DMZ.WebApp in the MOVEit Transfer web app. This could allow an authenticated attacker to gain unauthorized access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database and/or execute SQL statements that alter or delete database elements.";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-June-2021 | MISC:https://www.progress.com/moveit";Assigned (20210606);"None (candidate not yet proposed)";""
|
||||||
13.0.0;13;0;0;CVE-2021-33894;Candidate;"In Progress MOVEit Transfer before 2019.0.6 (11.0.6); 2019.1.x before 2019.1.5 (11.1.5); 2019.2.x before 2019.2.2 (11.2.2); 2020.x before 2020.0.5 (12.0.5); 2020.1.x before 2020.1.4 (12.1.4); and 2021.x before 2021.0.1 (13.0.1); a SQL injection vulnerability exists in SILUtility.vb in MOVEit.DMZ.WebApp in the MOVEit Transfer web app. This could allow an authenticated attacker to gain unauthorized access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database and/or execute SQL statements that alter or delete database elements.";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-June-2021 | MISC:https://www.progress.com/moveit";Assigned (20210606);"None (candidate not yet proposed)";""
|
13.0.0;13;0;0;CVE-2021-33894;Candidate;"In Progress MOVEit Transfer before 2019.0.6 (11.0.6); 2019.1.x before 2019.1.5 (11.1.5); 2019.2.x before 2019.2.2 (11.2.2); 2020.x before 2020.0.5 (12.0.5); 2020.1.x before 2020.1.4 (12.1.4); and 2021.x before 2021.0.1 (13.0.1); a SQL injection vulnerability exists in SILUtility.vb in MOVEit.DMZ.WebApp in the MOVEit Transfer web app. This could allow an authenticated attacker to gain unauthorized access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database and/or execute SQL statements that alter or delete database elements.";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-June-2021 | MISC:https://www.progress.com/moveit";Assigned (20210606);"None (candidate not yet proposed)";""
|
||||||
|
21.0.2;21;0;2;CVE-2021-37614;Candidate;"In certain Progress MOVEit Transfer versions before 2021.0.3 (aka 13.0.3); SQL injection in the MOVEit Transfer web application could allow an authenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; or execute SQL statements that alter or delete database elements; via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.7 (11.0.7); 2019.1.6 (11.1.6); 2019.2.3 (11.2.3); 2020.0.6 (12.0.6); 2020.1.5 (12.1.5); and 2021.0.3 (13.0.3).";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-2021 | MISC:https://docs.ipswitch.com/MOVEit/Transfer2019/ReleaseNotes/en/index.htm#48648.htm | MISC:https://docs.ipswitch.com/MOVEit/Transfer2020/ReleaseNotes/en/index.htm#50951.htm | MISC:https://docs.ipswitch.com/MOVEit/Transfer2021/ReleaseNotes/en/index.htm#link8";Assigned (20210729);"None (candidate not yet proposed)";""
|
||||||
|
13.0.2;13;0;2;CVE-2021-37614;Candidate;"In certain Progress MOVEit Transfer versions before 2021.0.3 (aka 13.0.3); SQL injection in the MOVEit Transfer web application could allow an authenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; or execute SQL statements that alter or delete database elements; via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.7 (11.0.7); 2019.1.6 (11.1.6); 2019.2.3 (11.2.3); 2020.0.6 (12.0.6); 2020.1.5 (12.1.5); and 2021.0.3 (13.0.3).";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-2021 | MISC:https://docs.ipswitch.com/MOVEit/Transfer2019/ReleaseNotes/en/index.htm#48648.htm | MISC:https://docs.ipswitch.com/MOVEit/Transfer2020/ReleaseNotes/en/index.htm#50951.htm | MISC:https://docs.ipswitch.com/MOVEit/Transfer2021/ReleaseNotes/en/index.htm#link8";Assigned (20210729);"None (candidate not yet proposed)";""
|
||||||
|
19.0.6;19;0;6;CVE-2021-37614;Candidate;"In certain Progress MOVEit Transfer versions before 2021.0.3 (aka 13.0.3); SQL injection in the MOVEit Transfer web application could allow an authenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; or execute SQL statements that alter or delete database elements; via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.7 (11.0.7); 2019.1.6 (11.1.6); 2019.2.3 (11.2.3); 2020.0.6 (12.0.6); 2020.1.5 (12.1.5); and 2021.0.3 (13.0.3).";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-2021 | MISC:https://docs.ipswitch.com/MOVEit/Transfer2019/ReleaseNotes/en/index.htm#48648.htm | MISC:https://docs.ipswitch.com/MOVEit/Transfer2020/ReleaseNotes/en/index.htm#50951.htm | MISC:https://docs.ipswitch.com/MOVEit/Transfer2021/ReleaseNotes/en/index.htm#link8";Assigned (20210729);"None (candidate not yet proposed)";""
|
||||||
|
11.0.6;11;0;6;CVE-2021-37614;Candidate;"In certain Progress MOVEit Transfer versions before 2021.0.3 (aka 13.0.3); SQL injection in the MOVEit Transfer web application could allow an authenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; or execute SQL statements that alter or delete database elements; via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.7 (11.0.7); 2019.1.6 (11.1.6); 2019.2.3 (11.2.3); 2020.0.6 (12.0.6); 2020.1.5 (12.1.5); and 2021.0.3 (13.0.3).";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-2021 | MISC:https://docs.ipswitch.com/MOVEit/Transfer2019/ReleaseNotes/en/index.htm#48648.htm | MISC:https://docs.ipswitch.com/MOVEit/Transfer2020/ReleaseNotes/en/index.htm#50951.htm | MISC:https://docs.ipswitch.com/MOVEit/Transfer2021/ReleaseNotes/en/index.htm#link8";Assigned (20210729);"None (candidate not yet proposed)";""
|
||||||
|
19.1.5;19;1;5;CVE-2021-37614;Candidate;"In certain Progress MOVEit Transfer versions before 2021.0.3 (aka 13.0.3); SQL injection in the MOVEit Transfer web application could allow an authenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; or execute SQL statements that alter or delete database elements; via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.7 (11.0.7); 2019.1.6 (11.1.6); 2019.2.3 (11.2.3); 2020.0.6 (12.0.6); 2020.1.5 (12.1.5); and 2021.0.3 (13.0.3).";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-2021 | MISC:https://docs.ipswitch.com/MOVEit/Transfer2019/ReleaseNotes/en/index.htm#48648.htm | MISC:https://docs.ipswitch.com/MOVEit/Transfer2020/ReleaseNotes/en/index.htm#50951.htm | MISC:https://docs.ipswitch.com/MOVEit/Transfer2021/ReleaseNotes/en/index.htm#link8";Assigned (20210729);"None (candidate not yet proposed)";""
|
||||||
|
11.1.5;11;1;5;CVE-2021-37614;Candidate;"In certain Progress MOVEit Transfer versions before 2021.0.3 (aka 13.0.3); SQL injection in the MOVEit Transfer web application could allow an authenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; or execute SQL statements that alter or delete database elements; via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.7 (11.0.7); 2019.1.6 (11.1.6); 2019.2.3 (11.2.3); 2020.0.6 (12.0.6); 2020.1.5 (12.1.5); and 2021.0.3 (13.0.3).";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-2021 | MISC:https://docs.ipswitch.com/MOVEit/Transfer2019/ReleaseNotes/en/index.htm#48648.htm | MISC:https://docs.ipswitch.com/MOVEit/Transfer2020/ReleaseNotes/en/index.htm#50951.htm | MISC:https://docs.ipswitch.com/MOVEit/Transfer2021/ReleaseNotes/en/index.htm#link8";Assigned (20210729);"None (candidate not yet proposed)";""
|
||||||
|
19.2.2;19;2;2;CVE-2021-37614;Candidate;"In certain Progress MOVEit Transfer versions before 2021.0.3 (aka 13.0.3); SQL injection in the MOVEit Transfer web application could allow an authenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; or execute SQL statements that alter or delete database elements; via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.7 (11.0.7); 2019.1.6 (11.1.6); 2019.2.3 (11.2.3); 2020.0.6 (12.0.6); 2020.1.5 (12.1.5); and 2021.0.3 (13.0.3).";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-2021 | MISC:https://docs.ipswitch.com/MOVEit/Transfer2019/ReleaseNotes/en/index.htm#48648.htm | MISC:https://docs.ipswitch.com/MOVEit/Transfer2020/ReleaseNotes/en/index.htm#50951.htm | MISC:https://docs.ipswitch.com/MOVEit/Transfer2021/ReleaseNotes/en/index.htm#link8";Assigned (20210729);"None (candidate not yet proposed)";""
|
||||||
|
11.2.2;11;2;2;CVE-2021-37614;Candidate;"In certain Progress MOVEit Transfer versions before 2021.0.3 (aka 13.0.3); SQL injection in the MOVEit Transfer web application could allow an authenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; or execute SQL statements that alter or delete database elements; via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.7 (11.0.7); 2019.1.6 (11.1.6); 2019.2.3 (11.2.3); 2020.0.6 (12.0.6); 2020.1.5 (12.1.5); and 2021.0.3 (13.0.3).";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-2021 | MISC:https://docs.ipswitch.com/MOVEit/Transfer2019/ReleaseNotes/en/index.htm#48648.htm | MISC:https://docs.ipswitch.com/MOVEit/Transfer2020/ReleaseNotes/en/index.htm#50951.htm | MISC:https://docs.ipswitch.com/MOVEit/Transfer2021/ReleaseNotes/en/index.htm#link8";Assigned (20210729);"None (candidate not yet proposed)";""
|
||||||
|
20.0.5;20;0;5;CVE-2021-37614;Candidate;"In certain Progress MOVEit Transfer versions before 2021.0.3 (aka 13.0.3); SQL injection in the MOVEit Transfer web application could allow an authenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; or execute SQL statements that alter or delete database elements; via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.7 (11.0.7); 2019.1.6 (11.1.6); 2019.2.3 (11.2.3); 2020.0.6 (12.0.6); 2020.1.5 (12.1.5); and 2021.0.3 (13.0.3).";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-2021 | MISC:https://docs.ipswitch.com/MOVEit/Transfer2019/ReleaseNotes/en/index.htm#48648.htm | MISC:https://docs.ipswitch.com/MOVEit/Transfer2020/ReleaseNotes/en/index.htm#50951.htm | MISC:https://docs.ipswitch.com/MOVEit/Transfer2021/ReleaseNotes/en/index.htm#link8";Assigned (20210729);"None (candidate not yet proposed)";""
|
||||||
|
12.0.5;12;0;5;CVE-2021-37614;Candidate;"In certain Progress MOVEit Transfer versions before 2021.0.3 (aka 13.0.3); SQL injection in the MOVEit Transfer web application could allow an authenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; or execute SQL statements that alter or delete database elements; via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.7 (11.0.7); 2019.1.6 (11.1.6); 2019.2.3 (11.2.3); 2020.0.6 (12.0.6); 2020.1.5 (12.1.5); and 2021.0.3 (13.0.3).";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-2021 | MISC:https://docs.ipswitch.com/MOVEit/Transfer2019/ReleaseNotes/en/index.htm#48648.htm | MISC:https://docs.ipswitch.com/MOVEit/Transfer2020/ReleaseNotes/en/index.htm#50951.htm | MISC:https://docs.ipswitch.com/MOVEit/Transfer2021/ReleaseNotes/en/index.htm#link8";Assigned (20210729);"None (candidate not yet proposed)";""
|
||||||
|
20.1.4;20;1;4;CVE-2021-37614;Candidate;"In certain Progress MOVEit Transfer versions before 2021.0.3 (aka 13.0.3); SQL injection in the MOVEit Transfer web application could allow an authenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; or execute SQL statements that alter or delete database elements; via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.7 (11.0.7); 2019.1.6 (11.1.6); 2019.2.3 (11.2.3); 2020.0.6 (12.0.6); 2020.1.5 (12.1.5); and 2021.0.3 (13.0.3).";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-2021 | MISC:https://docs.ipswitch.com/MOVEit/Transfer2019/ReleaseNotes/en/index.htm#48648.htm | MISC:https://docs.ipswitch.com/MOVEit/Transfer2020/ReleaseNotes/en/index.htm#50951.htm | MISC:https://docs.ipswitch.com/MOVEit/Transfer2021/ReleaseNotes/en/index.htm#link8";Assigned (20210729);"None (candidate not yet proposed)";""
|
||||||
|
12.1.4;12;1;4;CVE-2021-37614;Candidate;"In certain Progress MOVEit Transfer versions before 2021.0.3 (aka 13.0.3); SQL injection in the MOVEit Transfer web application could allow an authenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; or execute SQL statements that alter or delete database elements; via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.7 (11.0.7); 2019.1.6 (11.1.6); 2019.2.3 (11.2.3); 2020.0.6 (12.0.6); 2020.1.5 (12.1.5); and 2021.0.3 (13.0.3).";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-2021 | MISC:https://docs.ipswitch.com/MOVEit/Transfer2019/ReleaseNotes/en/index.htm#48648.htm | MISC:https://docs.ipswitch.com/MOVEit/Transfer2020/ReleaseNotes/en/index.htm#50951.htm | MISC:https://docs.ipswitch.com/MOVEit/Transfer2021/ReleaseNotes/en/index.htm#link8";Assigned (20210729);"None (candidate not yet proposed)";""
|
||||||
|
21.0.3;21;0;3;CVE-2021-38159;Candidate;"In certain Progress MOVEit Transfer versions before 2021.0.4 (aka 13.0.4); SQL injection in the MOVEit Transfer web application could allow an unauthenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; or execute SQL statements that alter or delete database elements; via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.8 (11.0.8); 2019.1.7 (11.1.7); 2019.2.4 (11.2.4); 2020.0.7 (12.0.7); 2020.1.6 (12.1.6); and 2021.0.4 (13.0.4).";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-6-2021 | MISC:https://www.progress.com/moveit";Assigned (20210807);"None (candidate not yet proposed)";""
|
||||||
|
13.0.3;13;0;3;CVE-2021-38159;Candidate;"In certain Progress MOVEit Transfer versions before 2021.0.4 (aka 13.0.4); SQL injection in the MOVEit Transfer web application could allow an unauthenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; or execute SQL statements that alter or delete database elements; via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.8 (11.0.8); 2019.1.7 (11.1.7); 2019.2.4 (11.2.4); 2020.0.7 (12.0.7); 2020.1.6 (12.1.6); and 2021.0.4 (13.0.4).";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-6-2021 | MISC:https://www.progress.com/moveit";Assigned (20210807);"None (candidate not yet proposed)";""
|
||||||
|
19.0.7;19;0;7;CVE-2021-38159;Candidate;"In certain Progress MOVEit Transfer versions before 2021.0.4 (aka 13.0.4); SQL injection in the MOVEit Transfer web application could allow an unauthenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; or execute SQL statements that alter or delete database elements; via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.8 (11.0.8); 2019.1.7 (11.1.7); 2019.2.4 (11.2.4); 2020.0.7 (12.0.7); 2020.1.6 (12.1.6); and 2021.0.4 (13.0.4).";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-6-2021 | MISC:https://www.progress.com/moveit";Assigned (20210807);"None (candidate not yet proposed)";""
|
||||||
|
11.0.7;11;0;7;CVE-2021-38159;Candidate;"In certain Progress MOVEit Transfer versions before 2021.0.4 (aka 13.0.4); SQL injection in the MOVEit Transfer web application could allow an unauthenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; or execute SQL statements that alter or delete database elements; via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.8 (11.0.8); 2019.1.7 (11.1.7); 2019.2.4 (11.2.4); 2020.0.7 (12.0.7); 2020.1.6 (12.1.6); and 2021.0.4 (13.0.4).";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-6-2021 | MISC:https://www.progress.com/moveit";Assigned (20210807);"None (candidate not yet proposed)";""
|
||||||
|
19.1.6;19;1;6;CVE-2021-38159;Candidate;"In certain Progress MOVEit Transfer versions before 2021.0.4 (aka 13.0.4); SQL injection in the MOVEit Transfer web application could allow an unauthenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; or execute SQL statements that alter or delete database elements; via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.8 (11.0.8); 2019.1.7 (11.1.7); 2019.2.4 (11.2.4); 2020.0.7 (12.0.7); 2020.1.6 (12.1.6); and 2021.0.4 (13.0.4).";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-6-2021 | MISC:https://www.progress.com/moveit";Assigned (20210807);"None (candidate not yet proposed)";""
|
||||||
|
11.1.6;11;1;6;CVE-2021-38159;Candidate;"In certain Progress MOVEit Transfer versions before 2021.0.4 (aka 13.0.4); SQL injection in the MOVEit Transfer web application could allow an unauthenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; or execute SQL statements that alter or delete database elements; via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.8 (11.0.8); 2019.1.7 (11.1.7); 2019.2.4 (11.2.4); 2020.0.7 (12.0.7); 2020.1.6 (12.1.6); and 2021.0.4 (13.0.4).";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-6-2021 | MISC:https://www.progress.com/moveit";Assigned (20210807);"None (candidate not yet proposed)";""
|
||||||
|
19.2.3;19;2;3;CVE-2021-38159;Candidate;"In certain Progress MOVEit Transfer versions before 2021.0.4 (aka 13.0.4); SQL injection in the MOVEit Transfer web application could allow an unauthenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; or execute SQL statements that alter or delete database elements; via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.8 (11.0.8); 2019.1.7 (11.1.7); 2019.2.4 (11.2.4); 2020.0.7 (12.0.7); 2020.1.6 (12.1.6); and 2021.0.4 (13.0.4).";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-6-2021 | MISC:https://www.progress.com/moveit";Assigned (20210807);"None (candidate not yet proposed)";""
|
||||||
|
11.2.3;11;2;3;CVE-2021-38159;Candidate;"In certain Progress MOVEit Transfer versions before 2021.0.4 (aka 13.0.4); SQL injection in the MOVEit Transfer web application could allow an unauthenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; or execute SQL statements that alter or delete database elements; via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.8 (11.0.8); 2019.1.7 (11.1.7); 2019.2.4 (11.2.4); 2020.0.7 (12.0.7); 2020.1.6 (12.1.6); and 2021.0.4 (13.0.4).";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-6-2021 | MISC:https://www.progress.com/moveit";Assigned (20210807);"None (candidate not yet proposed)";""
|
||||||
|
20.0.6;20;0;6;CVE-2021-38159;Candidate;"In certain Progress MOVEit Transfer versions before 2021.0.4 (aka 13.0.4); SQL injection in the MOVEit Transfer web application could allow an unauthenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; or execute SQL statements that alter or delete database elements; via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.8 (11.0.8); 2019.1.7 (11.1.7); 2019.2.4 (11.2.4); 2020.0.7 (12.0.7); 2020.1.6 (12.1.6); and 2021.0.4 (13.0.4).";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-6-2021 | MISC:https://www.progress.com/moveit";Assigned (20210807);"None (candidate not yet proposed)";""
|
||||||
|
12.0.6;12;0;6;CVE-2021-38159;Candidate;"In certain Progress MOVEit Transfer versions before 2021.0.4 (aka 13.0.4); SQL injection in the MOVEit Transfer web application could allow an unauthenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; or execute SQL statements that alter or delete database elements; via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.8 (11.0.8); 2019.1.7 (11.1.7); 2019.2.4 (11.2.4); 2020.0.7 (12.0.7); 2020.1.6 (12.1.6); and 2021.0.4 (13.0.4).";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-6-2021 | MISC:https://www.progress.com/moveit";Assigned (20210807);"None (candidate not yet proposed)";""
|
||||||
|
20.1.5;20;1;5;CVE-2021-38159;Candidate;"In certain Progress MOVEit Transfer versions before 2021.0.4 (aka 13.0.4); SQL injection in the MOVEit Transfer web application could allow an unauthenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; or execute SQL statements that alter or delete database elements; via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.8 (11.0.8); 2019.1.7 (11.1.7); 2019.2.4 (11.2.4); 2020.0.7 (12.0.7); 2020.1.6 (12.1.6); and 2021.0.4 (13.0.4).";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-6-2021 | MISC:https://www.progress.com/moveit";Assigned (20210807);"None (candidate not yet proposed)";""
|
||||||
|
12.1.5;12;1;5;CVE-2021-38159;Candidate;"In certain Progress MOVEit Transfer versions before 2021.0.4 (aka 13.0.4); SQL injection in the MOVEit Transfer web application could allow an unauthenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; or execute SQL statements that alter or delete database elements; via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.8 (11.0.8); 2019.1.7 (11.1.7); 2019.2.4 (11.2.4); 2020.0.7 (12.0.7); 2020.1.6 (12.1.6); and 2021.0.4 (13.0.4).";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-6-2021 | MISC:https://www.progress.com/moveit";Assigned (20210807);"None (candidate not yet proposed)";""
|
||||||
|
|
|
||||||
|
Can't render this file because it is too large.
|
Loading…
Reference in a new issue