From 747675b1baad359c348c213e9322c9fbdc4ccddc Mon Sep 17 00:00:00 2001 From: Jean-Marie Renouard Date: Fri, 4 Feb 2022 16:01:22 +0100 Subject: [PATCH] Update Vulnerabilities list Indenting mysqltuner Update Usage information --- USAGE.md | 156 ++++++++++++++++++++++++++++++ mysqltuner.pl | 229 +++++++++++++++++++++++++------------------- vulnerabilities.csv | 71 -------------- 3 files changed, 289 insertions(+), 167 deletions(-) diff --git a/USAGE.md b/USAGE.md index e69de29..b3ce8ad 100644 --- a/USAGE.md +++ b/USAGE.md @@ -0,0 +1,156 @@ +# NAME + + MySQLTuner 1.9.0 - MySQL High Performance Tuning Script + +# IMPORTANT USAGE GUIDELINES + +To run the script with the default options, run the script without arguments +Allow MySQL server to run for at least 24-48 hours before trusting suggestions +Some routines may require root level privileges (script will provide warnings) +You must provide the remote server's total memory when connecting to other servers + +# CONNECTION AND AUTHENTICATION + + --host Connect to a remote host to perform tests (default: localhost) + --socket Use a different socket for a local connection + --port Port to use for connection (default: 3306) + --user Username to use for authentication + --userenv Name of env variable which contains username to use for authentication + --pass Password to use for authentication + --passenv Name of env variable which contains password to use for authentication + --ssl-ca Path to public key + --mysqladmin Path to a custom mysqladmin executable + --mysqlcmd Path to a custom mysql executable + --defaults-file Path to a custom .my.cnf + --server-log Path to explict log file + +# PERFORMANCE AND REPORTING OPTIONS + + --skipsize Don't enumerate tables and their types/sizes (default: on) + (Recommended for servers with many tables) + --skippassword Don't perform checks on user passwords(default: off) + --checkversion Check for updates to MySQLTuner (default: don't check) + --updateversion Check for updates to MySQLTuner and update when newer version is available (default: don't check) + --forcemem Amount of RAM installed in megabytes + --forceswap Amount of swap memory configured in megabytes + --passwordfile Path to a password file list(one password by line) + +# OUTPUT OPTIONS + + --silent Don't output anything on screen + --nogood Remove OK responses + --nobad Remove negative/suggestion responses + --noinfo Remove informational responses + --debug Print debug information + --noprocess Consider no other process is running + --dbstat Print database information + --nodbstat Don't Print database information + --tbstat Print table information + --notbstat Don't Print table information + --colstat Print column information + --nocolstat Don't Print column information + --idxstat Print index information + --noidxstat Don't Print index information + --sysstat Print system information + --nosysstat Don't Print system information + --pfstat Print Performance schema + --nopfstat Don't Print Performance schema + --verbose Prints out all options (default: no verbose, dbstat, idxstat, sysstat, tbstat, pfstat) + --bannedports Ports banned separated by comma(,) + --maxportallowed Number of ports opened allowed on this hosts + --cvefile CVE File for vulnerability checks + --nocolor Don't print output in color + --json Print result as JSON string + --buffers Print global and per-thread buffer values + --outputfile Path to a output txt file + --reportfile Path to a report txt file + --template Path to a template file + +# PERLDOC + +You can find documentation for this module with the perldoc command. + + perldoc mysqltuner + +## INTERNALS + +[https://github.com/major/MySQLTuner-perl/blob/master/INTERNALS.md](https://github.com/major/MySQLTuner-perl/blob/master/INTERNALS.md) + + Internal documentation + +# AUTHORS + +Major Hayden - major@mhtx.net + +# CONTRIBUTORS + +- Matthew Montgomery +- Paul Kehrer +- Dave Burgess +- Jonathan Hinds +- Mike Jackson +- Nils Breunese +- Shawn Ashlee +- Luuk Vosslamber +- Ville Skytta +- Trent Hornibrook +- Jason Gill +- Mark Imbriaco +- Greg Eden +- Aubin Galinotti +- Giovanni Bechis +- Bill Bradford +- Ryan Novosielski +- Michael Scheidell +- Blair Christensen +- Hans du Plooy +- Victor Trac +- Everett Barnes +- Tom Krouper +- Gary Barrueto +- Simon Greenaway +- Adam Stein +- Isart Montane +- Baptiste M. +- Cole Turner +- Major Hayden +- Joe Ashcraft +- Jean-Marie Renouard +- Stephan GroBberndt +- Christian Loos + +# SUPPORT + +Bug reports, feature requests, and downloads at http://mysqltuner.pl/ + +Bug tracker can be found at https://github.com/major/MySQLTuner-perl/issues + +Maintained by Major Hayden (major\\@mhtx.net) - Licensed under GPL + +# SOURCE CODE + +[https://github.com/major/MySQLTuner-perl](https://github.com/major/MySQLTuner-perl) + + git clone https://github.com/major/MySQLTuner-perl.git + +# COPYRIGHT AND LICENSE + +Copyright (C) 2006-2022 Major Hayden - major@mhtx.net + +For the latest updates, please visit http://mysqltuner.pl/ + +Git repository available at https://github.com/major/MySQLTuner-perl + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + + See the GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program. If not, see <https://www.gnu.org/licenses/>. diff --git a/mysqltuner.pl b/mysqltuner.pl index 746bee5..f4505f0 100755 --- a/mysqltuner.pl +++ b/mysqltuner.pl @@ -1065,49 +1065,61 @@ sub select_str_g { } sub select_user_dbs { - return select_array("SELECT DISTINCT TABLE_SCHEMA FROM information_schema.TABLES WHERE TABLE_SCHEMA NOT IN ('mysql', 'information_schema', 'performance_schema', 'percona', 'sys')") + return select_array( +"SELECT DISTINCT TABLE_SCHEMA FROM information_schema.TABLES WHERE TABLE_SCHEMA NOT IN ('mysql', 'information_schema', 'performance_schema', 'percona', 'sys')" + ); } -sub select_tables_db() -{ - my $schema=shift; - return select_array("SELECT DISTINCT TABLE_NAME FROM information_schema.TABLES WHERE TABLE_SCHEMA='$schema'") -} -sub select_indexes_db() -{ - my $schema=shift; - return select_array("SELECT DISTINCT INDEX_NAME FROM information_schema.STATISTICS WHERE TABLE_SCHEMA='$schema'") +sub select_tables_db() { + my $schema = shift; + return select_array( +"SELECT DISTINCT TABLE_NAME FROM information_schema.TABLES WHERE TABLE_SCHEMA='$schema'" + ); } -sub select_views_db -{ - my $schema=shift; - return select_array("SELECT DISTINCT TABLE_NAME FROM information_schema.VIEWS WHERE TABLE_SCHEMA='$schema'") -} -sub select_triggers_db -{ - my $schema=shift; - return select_array("SELECT DISTINCT TRIGGER_NAME FROM information_schema.TRIGGERS WHERE TRIGGER_SCHEMA='$schema'") +sub select_indexes_db() { + my $schema = shift; + return select_array( +"SELECT DISTINCT INDEX_NAME FROM information_schema.STATISTICS WHERE TABLE_SCHEMA='$schema'" + ); } -sub select_routines_db -{ - my $schema=shift; - return select_array("SELECT DISTINCT ROUTINE_NAME FROM information_schema.ROUTINES WHERE ROUTINE_SCHEMA='$schema'") +sub select_views_db { + my $schema = shift; + return select_array( +"SELECT DISTINCT TABLE_NAME FROM information_schema.VIEWS WHERE TABLE_SCHEMA='$schema'" + ); } -sub select_table_indexes_db -{ - my $schema=shift; - my $tbname=shift; - return select_array("SELECT INDEX_NAME FROM information_schema.STATISTICS WHERE TABLE_SCHEMA='$schema' AND TABLE_NAME='$tbname'") -} -sub select_table_columns_db{ - my $schema=shift; - my $table=shift; - return select_array("SELECT COLUMN_NAME FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='$schema' AND TABLE_NAME='$table'") +sub select_triggers_db { + my $schema = shift; + return select_array( +"SELECT DISTINCT TRIGGER_NAME FROM information_schema.TRIGGERS WHERE TRIGGER_SCHEMA='$schema'" + ); } +sub select_routines_db { + my $schema = shift; + return select_array( +"SELECT DISTINCT ROUTINE_NAME FROM information_schema.ROUTINES WHERE ROUTINE_SCHEMA='$schema'" + ); +} + +sub select_table_indexes_db { + my $schema = shift; + my $tbname = shift; + return select_array( +"SELECT INDEX_NAME FROM information_schema.STATISTICS WHERE TABLE_SCHEMA='$schema' AND TABLE_NAME='$tbname'" + ); +} + +sub select_table_columns_db { + my $schema = shift; + my $table = shift; + return select_array( +"SELECT COLUMN_NAME FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='$schema' AND TABLE_NAME='$table'" + ); +} sub get_tuning_info { my @infoconn = select_array "\\s"; @@ -1199,9 +1211,11 @@ sub get_all_vars { # MariaDB: thread_handling = pool-of-threads # MySQL: thread_handling = loaded-dynamically $myvar{'have_threadpool'} = "NO"; - if ( defined( $myvar{'thread_handling'} ) - and ( $myvar{'thread_handling'} eq 'pool-of-threads' - || $myvar{'thread_handling'} eq 'loaded-dynamically' ) ) + if ( + defined( $myvar{'thread_handling'} ) + and ( $myvar{'thread_handling'} eq 'pool-of-threads' + || $myvar{'thread_handling'} eq 'loaded-dynamically' ) + ) { $myvar{'have_threadpool'} = "YES"; } @@ -1400,7 +1414,7 @@ sub log_file_recommendations { $numLi++; debugprint "$numLi: $logLi" if $logLi =~ /warning|error/i and $logLi !~ /Logging to/; - $nbErrLog++ if $logLi =~ /error/i and $logLi !~ /Logging to/; + $nbErrLog++ if $logLi =~ /error/i and $logLi !~ /Logging to/; $nbWarnLog++ if $logLi =~ /warning/i; push @lastShutdowns, $logLi if $logLi =~ /Shutdown complete/ and $logLi !~ /Innodb/i; @@ -1598,9 +1612,10 @@ sub get_fs_info { push( @generalrec, "Add some space to $2 mountpoint." ); } else { - infoprint "mount point $2 is using $1 % of total space (free: $3)"; + infoprint + "mount point $2 is using $1 % of total space (free: $3)"; } - $result{'Filesystem'}{'Space Pct'}{$2} = $1; + $result{'Filesystem'}{'Space Pct'}{$2} = $1; $result{'Filesystem'}{'Free Space'}{$2} = $3; } } @@ -2123,7 +2138,7 @@ sub get_replication_status { "This replication slave is not running but seems to be configured."; } if ( defined($io_running) - && $io_running =~ /yes/i + && $io_running =~ /yes/i && $sql_running =~ /yes/i ) { if ( $myvar{'read_only'} eq 'OFF' ) { @@ -3324,9 +3339,9 @@ sub mysql_stats { if ( defined( $myvar{'have_threadpool'} ) and $myvar{'have_threadpool'} eq 'YES' ) { - # https://www.percona.com/doc/percona-server/5.7/performance/threadpool.html#status-variables - # When thread pool is enabled, the value of the thread_cache_size variable - # is ignored. The Threads_cached status variable contains 0 in this case. +# https://www.percona.com/doc/percona-server/5.7/performance/threadpool.html#status-variables +# When thread pool is enabled, the value of the thread_cache_size variable +# is ignored. The Threads_cached status variable contains 0 in this case. infoprint "Thread cache not used with thread pool enabled"; } else { @@ -3571,7 +3586,15 @@ sub mysql_myisam { . hr_bytes( $myvar{'key_buffer_size'} ) . " cache)"; - push(@adjvars,"key_buffer_size (\~ ".hr_num( $myvar{'key_buffer_size'} * $mycalc{'pct_key_buffer_used'} / 100).")"); + push( + @adjvars, + "key_buffer_size (\~ " + . hr_num( + $myvar{'key_buffer_size'} * $mycalc{'pct_key_buffer_used'} + / 100 + ) + . ")" + ); } else { goodprint "Key buffer used: $mycalc{'pct_key_buffer_used'}% (" @@ -3588,8 +3611,7 @@ sub mysql_myisam { # No queries have run that would use keys debugprint "Key buffer used: $mycalc{'pct_key_buffer_used'}% (" . hr_bytes( $myvar{'key_buffer_size'} - - $mystat{'Key_blocks_unused'} * - $myvar{'key_cache_block_size'} ) + $mystat{'Key_blocks_unused'} * $myvar{'key_cache_block_size'} ) . " used / " . hr_bytes( $myvar{'key_buffer_size'} ) . " cache)"; @@ -3687,7 +3709,9 @@ sub mariadb_threadpool { infoprint "ThreadPool stat is enabled."; infoprint "Thread Pool Size: " . $myvar{'thread_pool_size'} . " thread(s)."; - if ( $myvar{'version'} =~ /percona/i or $myvar{'version_comment'} =~ /percona/i ) { + if ( $myvar{'version'} =~ /percona/i + or $myvar{'version_comment'} =~ /percona/i ) + { my $np = cpu_cores; if ( $myvar{'thread_pool_size'} >= $np and $myvar{'thread_pool_size'} < ( $np * 1.5 ) ) @@ -3775,19 +3799,20 @@ sub mysqsl_pfs { # Performance Schema $myvar{'performance_schema'} = 'OFF' unless defined( $myvar{'performance_schema'} ); - if ($myvar{'performance_schema'} eq 'OFF') { + if ( $myvar{'performance_schema'} eq 'OFF' ) { badprint "Performance_schema should be activated."; push( @adjvars, "performance_schema=ON" ); push( @generalrec, - "Performance schema should be activated for better diagnostics" - ); - } else { + "Performance schema should be activated for better diagnostics" ); + } + else { infoprint "Performance_schema is activated."; } - + # IF PFS is eanbled unless ( $myvar{'performance_schema'} ne 'ON' ) { infoprint "Performance schema is disabled."; + # REc enable PFS for diagnostics only if ( mysql_version_ge( 5, 6 ) ) { push( @generalrec, @@ -6183,20 +6208,28 @@ sub mysql_databases { "SELECT DISTINCT(ENGINE) FROM information_schema.TABLES WHERE TABLE_SCHEMA='$_'" ) ) . ")"; - foreach my $eng(select_array( + + foreach my $eng ( + select_array( "SELECT DISTINCT(ENGINE) FROM information_schema.TABLES WHERE TABLE_SCHEMA='$_'" - )) { - infoprint " +-- ENGINE $eng : " . - select_one("SELECT COUNT(*) FROM information_schema.TABLES WHERE TABLE_SCHEMA='$dbinfo[0]' AND ENGINE='$eng'") . - " TABLE(s)"; - } + ) + ) + { + infoprint " +-- ENGINE $eng : " + . select_one( +"SELECT COUNT(*) FROM information_schema.TABLES WHERE TABLE_SCHEMA='$dbinfo[0]' AND ENGINE='$eng'" + ) . " TABLE(s)"; + } badprint "Index size is larger than data size for $dbinfo[0] \n" if ( $dbinfo[2] ne 'NULL' ) and ( $dbinfo[3] ne 'NULL' ) and ( $dbinfo[2] < $dbinfo[3] ); - unless ($dbinfo[5] == 1) { - badprint "There are " . $dbinfo[5] . " storage engines. Be careful. \n"; - push @generalrec, "Select one storage engine (InnoDB is a good choice) for all tables in $dbinfo[0] database ($dbinfo[5] engines detected)"; + unless ( $dbinfo[5] == 1 ) { + badprint "There are " + . $dbinfo[5] + . " storage engines. Be careful. \n"; + push @generalrec, +"Select one storage engine (InnoDB is a good choice) for all tables in $dbinfo[0] database ($dbinfo[5] engines detected)"; } $result{'Databases'}{ $dbinfo[0] }{'Rows'} = $dbinfo[1]; $result{'Databases'}{ $dbinfo[0] }{'Tables'} = $dbinfo[6]; @@ -6293,7 +6326,7 @@ sub mysql_tables { infoprint "Disabling colstat parameter"; } - foreach (select_user_dbs()) { + foreach ( select_user_dbs() ) { my $dbname = $_; next unless defined $_; infoprint "Database: " . $_ . ""; @@ -6303,7 +6336,10 @@ sub mysql_tables { foreach (@dbtable) { my $tbname = $_; infoprint " +-- TABLE: $tbname"; - infoprint " +-- TYPE: ".select_one("SELECT ENGINE FROM information_schema.tables where TABLE_schema='$dbname' AND TABLE_NAME='$tbname'"); + infoprint " +-- TYPE: " + . select_one( +"SELECT ENGINE FROM information_schema.tables where TABLE_schema='$dbname' AND TABLE_NAME='$tbname'" + ); my $selIdxReq = <<"ENDSQL"; SELECT index_name AS idxname, @@ -6314,17 +6350,19 @@ sub mysql_tables { AND TABLE_NAME='$tbname' GROUP BY idxname, type ENDSQL - my @tbidx=select_array($selIdxReq); - my $found=0; - foreach my $idx(@tbidx) { - my @info = split /\s/, $idx; - next if $info[0] eq 'NULL'; - infoprint " +-- Index $info[0] - Cols: $info[1] - Type: $info[2]"; - $found++; + my @tbidx = select_array($selIdxReq); + my $found = 0; + foreach my $idx (@tbidx) { + my @info = split /\s/, $idx; + next if $info[0] eq 'NULL'; + infoprint + " +-- Index $info[0] - Cols: $info[1] - Type: $info[2]"; + $found++; } - if ($found == 0) { - badprint ("Table $dbname.$tbname has no index defined"); - push @generalrec, "Add at least a primary key on table $dbname.$tbname"; + if ( $found == 0 ) { + badprint("Table $dbname.$tbname has no index defined"); + push @generalrec, + "Add at least a primary key on table $dbname.$tbname"; } my @tbcol = select_array( "SELECT COLUMN_NAME FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='$dbname' AND TABLE_NAME='$tbname'" @@ -6349,6 +6387,7 @@ ENDSQL and not mysql_version_eq(10) ); } if ( $optimal_type eq '' ) { + #infoprint " +-- Current Fieldtype: $current_type"; #infoprint " Optimal Fieldtype: Not available"; @@ -6458,9 +6497,9 @@ ENDSQL } } infoprint "Indexes per database:"; - foreach my $dbname (select_user_dbs()) { - infoprint "Database: " . $dbname . ""; - $selIdxReq = <<"ENDSQL"; + foreach my $dbname ( select_user_dbs() ) { + infoprint "Database: " . $dbname . ""; + $selIdxReq = <<"ENDSQL"; SELECT concat(concat(table_name,'.'), index_name) AS idxname, GROUP_CONCAT(column_name ORDER BY seq_in_index) AS cols, CARDINALITY as card, @@ -6471,20 +6510,20 @@ ENDSQL AND index_name IS NOT NULL GROUP BY idxname, type ENDSQL - my $found=0; - foreach my $idxinfo (select_array($selIdxReq)) - { - my @info = split /\s/, $idxinfo; - next if $info[0] eq 'NULL'; - infoprint " +-- INDEX : " . $info[0]; - infoprint " +-- COLUMNS : " . $info[1]; - infoprint " +-- CARDINALITY: " . $info[2]; - infoprint " +-- TYPE : " . $info[4] if defined $info[4]; - infoprint " +-- COMMENT : " . $info[5] if defined $info[5]; - $found++; - } - badprint "No index found for $dbname database" if $found == 0; - push @generalrec, "Add indexes on tables from $dbname database" if $found == 0; + my $found = 0; + foreach my $idxinfo ( select_array($selIdxReq) ) { + my @info = split /\s/, $idxinfo; + next if $info[0] eq 'NULL'; + infoprint " +-- INDEX : " . $info[0]; + infoprint " +-- COLUMNS : " . $info[1]; + infoprint " +-- CARDINALITY: " . $info[2]; + infoprint " +-- TYPE : " . $info[4] if defined $info[4]; + infoprint " +-- COMMENT : " . $info[5] if defined $info[5]; + $found++; + } + badprint "No index found for $dbname database" if $found == 0; + push @generalrec, "Add indexes on tables from $dbname database" + if $found == 0; } return unless ( defined( $myvar{'performance_schema'} ) @@ -6511,8 +6550,7 @@ ENDSQL } } -sub mysql_views() -{ +sub mysql_views() { subheaderprint "Views Metrics"; unless ( mysql_version_ge( 5, 5 ) ) { infoprint @@ -6522,8 +6560,7 @@ sub mysql_views() } -sub mysql_routines() -{ +sub mysql_routines() { subheaderprint "Routines Metrics"; unless ( mysql_version_ge( 5, 5 ) ) { infoprint @@ -6533,8 +6570,7 @@ sub mysql_routines() } -sub mysql_triggers() -{ +sub mysql_triggers() { subheaderprint "Triggers Metrics"; unless ( mysql_version_ge( 5, 5 ) ) { infoprint @@ -6543,6 +6579,7 @@ sub mysql_triggers() } } + # Take the two recommendation arrays and display them at the end of the output sub make_recommendations { $result{'Recommendations'} = \@generalrec; diff --git a/vulnerabilities.csv b/vulnerabilities.csv index d6105ce..1596eae 100755 --- a/vulnerabilities.csv +++ b/vulnerabilities.csv @@ -1441,62 +1441,15 @@ 8.0.23;8;0;23;CVE-2021-2301;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 2.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210513-0002/ | MISC:https://www.oracle.com/security-alerts/cpuapr2021.html | URL:https://www.oracle.com/security-alerts/cpuapr2021.html";Assigned (20201209);"None (candidate not yet proposed)";"" 8.0.23;8;0;23;CVE-2021-2304;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update; insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210513-0002/ | MISC:https://www.oracle.com/security-alerts/cpuapr2021.html | URL:https://www.oracle.com/security-alerts/cpuapr2021.html";Assigned (20201209);"None (candidate not yet proposed)";"" 8.0.23;8;0;23;CVE-2021-2305;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210513-0002/ | MISC:https://www.oracle.com/security-alerts/cpuapr2021.html | URL:https://www.oracle.com/security-alerts/cpuapr2021.html";Assigned (20201209);"None (candidate not yet proposed)";"" -15.1.2;15;1;2;CVE-2021-23053;Candidate;"On version 15.1.x before 15.1.3; 14.1.x before 14.1.3.1; and 13.1.x before 13.1.3.6; when the brute force protection feature of BIG-IP Advanced WAF or BIG-IP ASM is enabled on a virtual server and the virtual server is under brute force attack; the MySQL database may run out of disk space due to lack of row limit on undisclosed tables in the MYSQL database. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.";"MISC:https://support.f5.com/csp/article/K36942191 | URL:https://support.f5.com/csp/article/K36942191";Assigned (20210106);"None (candidate not yet proposed)";"" -14.1.2;14;1;2;CVE-2021-23053;Candidate;"On version 15.1.x before 15.1.3; 14.1.x before 14.1.3.1; and 13.1.x before 13.1.3.6; when the brute force protection feature of BIG-IP Advanced WAF or BIG-IP ASM is enabled on a virtual server and the virtual server is under brute force attack; the MySQL database may run out of disk space due to lack of row limit on undisclosed tables in the MYSQL database. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.";"MISC:https://support.f5.com/csp/article/K36942191 | URL:https://support.f5.com/csp/article/K36942191";Assigned (20210106);"None (candidate not yet proposed)";"" -13.1.2;13;1;2;CVE-2021-23053;Candidate;"On version 15.1.x before 15.1.3; 14.1.x before 14.1.3.1; and 13.1.x before 13.1.3.6; when the brute force protection feature of BIG-IP Advanced WAF or BIG-IP ASM is enabled on a virtual server and the virtual server is under brute force attack; the MySQL database may run out of disk space due to lack of row limit on undisclosed tables in the MYSQL database. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.";"MISC:https://support.f5.com/csp/article/K36942191 | URL:https://support.f5.com/csp/article/K36942191";Assigned (20210106);"None (candidate not yet proposed)";"" 5.7.33;5;7;33;CVE-2021-2307;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Packaging). Supported versions that are affected are 5.7.33 and prior and 8.0.23 and prior. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data as well as unauthorized update; insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210513-0002/ | MISC:https://www.oracle.com/security-alerts/cpuapr2021.html | URL:https://www.oracle.com/security-alerts/cpuapr2021.html";Assigned (20201209);"None (candidate not yet proposed)";"" 8.0.23;8;0;23;CVE-2021-2307;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Packaging). Supported versions that are affected are 5.7.33 and prior and 8.0.23 and prior. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data as well as unauthorized update; insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210513-0002/ | MISC:https://www.oracle.com/security-alerts/cpuapr2021.html | URL:https://www.oracle.com/security-alerts/cpuapr2021.html";Assigned (20201209);"None (candidate not yet proposed)";"" 8.0.23;8;0;23;CVE-2021-2308;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 2.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210513-0002/ | MISC:https://www.oracle.com/security-alerts/cpuapr2021.html | URL:https://www.oracle.com/security-alerts/cpuapr2021.html";Assigned (20201209);"None (candidate not yet proposed)";"" -8.0.25;8;0;25;CVE-2021-2339;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | FEDORA:FEDORA-2021-dc4299a8d0 | URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6OO2Q5PIFURXLLKCIJE6XF6VL4LLMNO5/ | FEDORA:FEDORA-2021-df40c41094 | URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OPJAGVMRKODR4QIXQSVEM4BLRZUM7P3R/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";"" -8.0.25;8;0;25;CVE-2021-2340;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Memcached). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 2.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | FEDORA:FEDORA-2021-dc4299a8d0 | URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6OO2Q5PIFURXLLKCIJE6XF6VL4LLMNO5/ | FEDORA:FEDORA-2021-df40c41094 | URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OPJAGVMRKODR4QIXQSVEM4BLRZUM7P3R/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";"" -5.7.34;5;7;34;CVE-2021-2342;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | FEDORA:FEDORA-2021-dc4299a8d0 | URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6OO2Q5PIFURXLLKCIJE6XF6VL4LLMNO5/ | FEDORA:FEDORA-2021-df40c41094 | URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OPJAGVMRKODR4QIXQSVEM4BLRZUM7P3R/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";"" -8.0.25;8;0;25;CVE-2021-2342;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | FEDORA:FEDORA-2021-dc4299a8d0 | URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6OO2Q5PIFURXLLKCIJE6XF6VL4LLMNO5/ | FEDORA:FEDORA-2021-df40c41094 | URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OPJAGVMRKODR4QIXQSVEM4BLRZUM7P3R/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";"" -8.0.25;8;0;25;CVE-2021-2352;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | FEDORA:FEDORA-2021-dc4299a8d0 | URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6OO2Q5PIFURXLLKCIJE6XF6VL4LLMNO5/ | FEDORA:FEDORA-2021-df40c41094 | URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OPJAGVMRKODR4QIXQSVEM4BLRZUM7P3R/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";"" -8.0.25;8;0;25;CVE-2021-2354;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Federated). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | FEDORA:FEDORA-2021-dc4299a8d0 | URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6OO2Q5PIFURXLLKCIJE6XF6VL4LLMNO5/ | FEDORA:FEDORA-2021-df40c41094 | URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OPJAGVMRKODR4QIXQSVEM4BLRZUM7P3R/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";"" -5.7.34;5;7;34;CVE-2021-2356;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update; insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.9 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | FEDORA:FEDORA-2021-dc4299a8d0 | URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6OO2Q5PIFURXLLKCIJE6XF6VL4LLMNO5/ | FEDORA:FEDORA-2021-df40c41094 | URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OPJAGVMRKODR4QIXQSVEM4BLRZUM7P3R/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";"" -8.0.25;8;0;25;CVE-2021-2356;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update; insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.9 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | FEDORA:FEDORA-2021-dc4299a8d0 | URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6OO2Q5PIFURXLLKCIJE6XF6VL4LLMNO5/ | FEDORA:FEDORA-2021-df40c41094 | URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OPJAGVMRKODR4QIXQSVEM4BLRZUM7P3R/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";"" -8.0.25;8;0;25;CVE-2021-2357;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | FEDORA:FEDORA-2021-dc4299a8d0 | URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6OO2Q5PIFURXLLKCIJE6XF6VL4LLMNO5/ | FEDORA:FEDORA-2021-df40c41094 | URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OPJAGVMRKODR4QIXQSVEM4BLRZUM7P3R/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";"" -8.0.25;8;0;25;CVE-2021-2367;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | FEDORA:FEDORA-2021-dc4299a8d0 | URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6OO2Q5PIFURXLLKCIJE6XF6VL4LLMNO5/ | FEDORA:FEDORA-2021-df40c41094 | URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OPJAGVMRKODR4QIXQSVEM4BLRZUM7P3R/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";"" -8.0.25;8;0;25;CVE-2021-2370;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | FEDORA:FEDORA-2021-dc4299a8d0 | URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6OO2Q5PIFURXLLKCIJE6XF6VL4LLMNO5/ | FEDORA:FEDORA-2021-df40c41094 | URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OPJAGVMRKODR4QIXQSVEM4BLRZUM7P3R/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";"" -5.7.34;5;7;34;CVE-2021-2372;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | FEDORA:FEDORA-2021-dc4299a8d0 | URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6OO2Q5PIFURXLLKCIJE6XF6VL4LLMNO5/ | FEDORA:FEDORA-2021-df40c41094 | URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OPJAGVMRKODR4QIXQSVEM4BLRZUM7P3R/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";"" -8.0.25;8;0;25;CVE-2021-2372;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | FEDORA:FEDORA-2021-dc4299a8d0 | URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6OO2Q5PIFURXLLKCIJE6XF6VL4LLMNO5/ | FEDORA:FEDORA-2021-df40c41094 | URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OPJAGVMRKODR4QIXQSVEM4BLRZUM7P3R/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";"" -8.0.25;8;0;25;CVE-2021-2374;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.25 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. CVSS 3.1 Base Score 4.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | FEDORA:FEDORA-2021-dc4299a8d0 | URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6OO2Q5PIFURXLLKCIJE6XF6VL4LLMNO5/ | FEDORA:FEDORA-2021-df40c41094 | URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OPJAGVMRKODR4QIXQSVEM4BLRZUM7P3R/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";"" -8.0.25;8;0;25;CVE-2021-2383;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | FEDORA:FEDORA-2021-dc4299a8d0 | URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6OO2Q5PIFURXLLKCIJE6XF6VL4LLMNO5/ | FEDORA:FEDORA-2021-df40c41094 | URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OPJAGVMRKODR4QIXQSVEM4BLRZUM7P3R/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";"" -8.0.25;8;0;25;CVE-2021-2384;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | FEDORA:FEDORA-2021-dc4299a8d0 | URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6OO2Q5PIFURXLLKCIJE6XF6VL4LLMNO5/ | FEDORA:FEDORA-2021-df40c41094 | URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OPJAGVMRKODR4QIXQSVEM4BLRZUM7P3R/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";"" -5.7.34;5;7;34;CVE-2021-2385;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update; insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.0 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | FEDORA:FEDORA-2021-dc4299a8d0 | URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6OO2Q5PIFURXLLKCIJE6XF6VL4LLMNO5/ | FEDORA:FEDORA-2021-df40c41094 | URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OPJAGVMRKODR4QIXQSVEM4BLRZUM7P3R/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";"" -8.0.25;8;0;25;CVE-2021-2385;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update; insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.0 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | FEDORA:FEDORA-2021-dc4299a8d0 | URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6OO2Q5PIFURXLLKCIJE6XF6VL4LLMNO5/ | FEDORA:FEDORA-2021-df40c41094 | URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OPJAGVMRKODR4QIXQSVEM4BLRZUM7P3R/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";"" -8.0.25;8;0;25;CVE-2021-2387;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";"" -5.7.34;5;7;34;CVE-2021-2389;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.zerodayinitiative.com/advisories/ZDI-21-880/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";"" -8.0.25;8;0;25;CVE-2021-2389;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.zerodayinitiative.com/advisories/ZDI-21-880/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";"" -5.7.34;5;7;34;CVE-2021-2390;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.zerodayinitiative.com/advisories/ZDI-21-881/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";"" -8.0.25;8;0;25;CVE-2021-2390;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.zerodayinitiative.com/advisories/ZDI-21-881/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";"" -8.0.25;8;0;25;CVE-2021-2399;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";"" -8.0.25;8;0;25;CVE-2021-2402;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Locking). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";"" -8.0.25;8;0;25;CVE-2021-2410;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";"" -8.0.21;8;0;21;CVE-2021-2412;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";"" -8.0.25;8;0;25;CVE-2021-2417;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: GIS). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update; insert or delete access to some of MySQL Server accessible data and unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality; Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";"" -8.0.25;8;0;25;CVE-2021-2418;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";"" -8.0.25;8;0;25;CVE-2021-2422;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: PS). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";"" -8.0.25;8;0;25;CVE-2021-2424;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";"" -8.0.25;8;0;25;CVE-2021-2425;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";"" -8.0.25;8;0;25;CVE-2021-2426;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";"" -8.0.25;8;0;25;CVE-2021-2427;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";"" -8.0.25;8;0;25;CVE-2021-2429;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.25 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.zerodayinitiative.com/advisories/ZDI-21-889/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";"" -8.0.25;8;0;25;CVE-2021-2437;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";"" -8.0.25;8;0;25;CVE-2021-2440;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";"" -8.0.25;8;0;25;CVE-2021-2441;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";"" -8.0.23;8;0;23;CVE-2021-2444;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ | MISC:https://www.oracle.com/security-alerts/cpujul2021.html | URL:https://www.oracle.com/security-alerts/cpujul2021.html";Assigned (20201209);"None (candidate not yet proposed)";"" 0.20.2;0;20;2;CVE-2021-26919;Candidate;"Apache Druid allows users to read data from other database systems using JDBC. This functionality is to allow trusted users with the proper permissions to set up lookups or submit ingestion tasks. The MySQL JDBC driver supports certain properties; which; if left unmitigated; can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Druid server processes. This issue was addressed in Apache Druid 0.20.2";"MISC:https://lists.apache.org/thread.html/rd87451fce34df54796e66321c40d743a68fb4553d72e7f6f0bc62ebd%40%3Cdev.druid.apache.org%3E | URL:https://lists.apache.org/thread.html/rd87451fce34df54796e66321c40d743a68fb4553d72e7f6f0bc62ebd%40%3Cdev.druid.apache.org%3E | MLIST:[druid-commits] 20210401 [GitHub] [druid] jihoonson merged pull request #11047: Allow list for JDBC connection properties to address CVE-2021-26919 | URL:https://lists.apache.org/thread.html/re0910cf4c784897774427fecd95912fb565a6bd06d924a55e70bbbfc@%3Ccommits.druid.apache.org%3E | MLIST:[druid-commits] 20210412 [GitHub] [druid] jihoonson merged pull request #11100: [Backport] Allow list for JDBC connection properties to address CVE-2021-26919 | URL:https://lists.apache.org/thread.html/r6bc68264170046448f823d12c17fd1fd875251d97d60869f58709872@%3Ccommits.druid.apache.org%3E | MLIST:[druid-commits] 20210412 [GitHub] [druid] jihoonson opened a new pull request #11100: [Backport] Allow list for JDBC connection properties to address CVE-2021-26919 | URL:https://lists.apache.org/thread.html/r7a531ec123570cb7875ff991cf115f99e9ef99a48b3cf3fa4f9d9864@%3Ccommits.druid.apache.org%3E | MLIST:[druid-dev] 20210331 Regarding the 0.21.0 release | URL:https://lists.apache.org/thread.html/r443e2916c612fbd119839c0fc0729327d6031913a75081adac5b43ad@%3Cdev.druid.apache.org%3E | MLIST:[druid-dev] 20210401 Re: Subject: [CVE-2021-26919] Authenticated users can execute arbitrary code from malicious MySQL database systems | URL:https://lists.apache.org/thread.html/re4c5deb0aae4bace69844d15c9fd1699e907ebfee93bc3926474d110@%3Cdev.druid.apache.org%3E | MLIST:[druid-dev] 20210405 Re: Regarding the CVSS score for CVE-2021-26919 | URL:https://lists.apache.org/thread.html/r470f8c92eb5df45f41b3ae609b6315b6c5ff51b3ceb2f09f00ca620f@%3Cdev.druid.apache.org%3E | MLIST:[druid-dev] 20210405 Regarding the CVSS score for CVE-2021-26919 | URL:https://lists.apache.org/thread.html/ra85fa7d31f9bec1148ffd2e4030934927caa8bff89bca9f61f75e697@%3Cdev.druid.apache.org%3E | MLIST:[druid-dev] 20210414 Re: Regarding the CVSS score for CVE-2021-26919 | URL:https://lists.apache.org/thread.html/rf3ea2a4018e87e6c45d36cf8479af7727dcc276edabd2f7cf59e0c5f@%3Cdev.druid.apache.org%3E";Assigned (20210209);"None (candidate not yet proposed)";"" 0.21.0;0;21;0;CVE-2021-26919;Candidate;"Apache Druid allows users to read data from other database systems using JDBC. This functionality is to allow trusted users with the proper permissions to set up lookups or submit ingestion tasks. The MySQL JDBC driver supports certain properties; which; if left unmitigated; can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Druid server processes. This issue was addressed in Apache Druid 0.20.2";"MISC:https://lists.apache.org/thread.html/rd87451fce34df54796e66321c40d743a68fb4553d72e7f6f0bc62ebd%40%3Cdev.druid.apache.org%3E | URL:https://lists.apache.org/thread.html/rd87451fce34df54796e66321c40d743a68fb4553d72e7f6f0bc62ebd%40%3Cdev.druid.apache.org%3E | MLIST:[druid-commits] 20210401 [GitHub] [druid] jihoonson merged pull request #11047: Allow list for JDBC connection properties to address CVE-2021-26919 | URL:https://lists.apache.org/thread.html/re0910cf4c784897774427fecd95912fb565a6bd06d924a55e70bbbfc@%3Ccommits.druid.apache.org%3E | MLIST:[druid-commits] 20210412 [GitHub] [druid] jihoonson merged pull request #11100: [Backport] Allow list for JDBC connection properties to address CVE-2021-26919 | URL:https://lists.apache.org/thread.html/r6bc68264170046448f823d12c17fd1fd875251d97d60869f58709872@%3Ccommits.druid.apache.org%3E | MLIST:[druid-commits] 20210412 [GitHub] [druid] jihoonson opened a new pull request #11100: [Backport] Allow list for JDBC connection properties to address CVE-2021-26919 | URL:https://lists.apache.org/thread.html/r7a531ec123570cb7875ff991cf115f99e9ef99a48b3cf3fa4f9d9864@%3Ccommits.druid.apache.org%3E | MLIST:[druid-dev] 20210331 Regarding the 0.21.0 release | URL:https://lists.apache.org/thread.html/r443e2916c612fbd119839c0fc0729327d6031913a75081adac5b43ad@%3Cdev.druid.apache.org%3E | MLIST:[druid-dev] 20210401 Re: Subject: [CVE-2021-26919] Authenticated users can execute arbitrary code from malicious MySQL database systems | URL:https://lists.apache.org/thread.html/re4c5deb0aae4bace69844d15c9fd1699e907ebfee93bc3926474d110@%3Cdev.druid.apache.org%3E | MLIST:[druid-dev] 20210405 Re: Regarding the CVSS score for CVE-2021-26919 | URL:https://lists.apache.org/thread.html/r470f8c92eb5df45f41b3ae609b6315b6c5ff51b3ceb2f09f00ca620f@%3Cdev.druid.apache.org%3E | MLIST:[druid-dev] 20210405 Regarding the CVSS score for CVE-2021-26919 | URL:https://lists.apache.org/thread.html/ra85fa7d31f9bec1148ffd2e4030934927caa8bff89bca9f61f75e697@%3Cdev.druid.apache.org%3E | MLIST:[druid-dev] 20210414 Re: Regarding the CVSS score for CVE-2021-26919 | URL:https://lists.apache.org/thread.html/rf3ea2a4018e87e6c45d36cf8479af7727dcc276edabd2f7cf59e0c5f@%3Cdev.druid.apache.org%3E";Assigned (20210209);"None (candidate not yet proposed)";"" 10.2.36;10;2;36;CVE-2021-27928;Candidate;"A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37; 10.3 before 10.3.28; 10.4 before 10.4.18; and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An untrusted search path leads to eval injection; in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an Oracle product.";"GENTOO:GLSA-202105-28 | URL:https://security.gentoo.org/glsa/202105-28 | MISC:http://packetstormsecurity.com/files/162177/MariaDB-10.2-Command-Execution.html | MISC:https://jira.mariadb.org/browse/MDEV-25179 | MISC:https://mariadb.com/kb/en/mariadb-10237-release-notes/ | MISC:https://mariadb.com/kb/en/mariadb-10328-release-notes/ | MISC:https://mariadb.com/kb/en/mariadb-10418-release-notes/ | MISC:https://mariadb.com/kb/en/mariadb-1059-release-notes/ | MISC:https://mariadb.com/kb/en/security/ | MLIST:[debian-lts-announce] 20210323 [SECURITY] [DLA 2605-1] mariadb-10.1 security update | URL:https://lists.debian.org/debian-lts-announce/2021/03/msg00028.html";Assigned (20210303);"None (candidate not yet proposed)";"" 10.3.27;10;3;27;CVE-2021-27928;Candidate;"A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37; 10.3 before 10.3.28; 10.4 before 10.4.18; and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An untrusted search path leads to eval injection; in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an Oracle product.";"GENTOO:GLSA-202105-28 | URL:https://security.gentoo.org/glsa/202105-28 | MISC:http://packetstormsecurity.com/files/162177/MariaDB-10.2-Command-Execution.html | MISC:https://jira.mariadb.org/browse/MDEV-25179 | MISC:https://mariadb.com/kb/en/mariadb-10237-release-notes/ | MISC:https://mariadb.com/kb/en/mariadb-10328-release-notes/ | MISC:https://mariadb.com/kb/en/mariadb-10418-release-notes/ | MISC:https://mariadb.com/kb/en/mariadb-1059-release-notes/ | MISC:https://mariadb.com/kb/en/security/ | MLIST:[debian-lts-announce] 20210323 [SECURITY] [DLA 2605-1] mariadb-10.1 security update | URL:https://lists.debian.org/debian-lts-announce/2021/03/msg00028.html";Assigned (20210303);"None (candidate not yet proposed)";"" 10.4.17;10;4;17;CVE-2021-27928;Candidate;"A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37; 10.3 before 10.3.28; 10.4 before 10.4.18; and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An untrusted search path leads to eval injection; in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an Oracle product.";"GENTOO:GLSA-202105-28 | URL:https://security.gentoo.org/glsa/202105-28 | MISC:http://packetstormsecurity.com/files/162177/MariaDB-10.2-Command-Execution.html | MISC:https://jira.mariadb.org/browse/MDEV-25179 | MISC:https://mariadb.com/kb/en/mariadb-10237-release-notes/ | MISC:https://mariadb.com/kb/en/mariadb-10328-release-notes/ | MISC:https://mariadb.com/kb/en/mariadb-10418-release-notes/ | MISC:https://mariadb.com/kb/en/mariadb-1059-release-notes/ | MISC:https://mariadb.com/kb/en/security/ | MLIST:[debian-lts-announce] 20210323 [SECURITY] [DLA 2605-1] mariadb-10.1 security update | URL:https://lists.debian.org/debian-lts-announce/2021/03/msg00028.html";Assigned (20210303);"None (candidate not yet proposed)";"" 10.5.8;10;5;8;CVE-2021-27928;Candidate;"A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37; 10.3 before 10.3.28; 10.4 before 10.4.18; and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An untrusted search path leads to eval injection; in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an Oracle product.";"GENTOO:GLSA-202105-28 | URL:https://security.gentoo.org/glsa/202105-28 | MISC:http://packetstormsecurity.com/files/162177/MariaDB-10.2-Command-Execution.html | MISC:https://jira.mariadb.org/browse/MDEV-25179 | MISC:https://mariadb.com/kb/en/mariadb-10237-release-notes/ | MISC:https://mariadb.com/kb/en/mariadb-10328-release-notes/ | MISC:https://mariadb.com/kb/en/mariadb-10418-release-notes/ | MISC:https://mariadb.com/kb/en/mariadb-1059-release-notes/ | MISC:https://mariadb.com/kb/en/security/ | MLIST:[debian-lts-announce] 20210323 [SECURITY] [DLA 2605-1] mariadb-10.1 security update | URL:https://lists.debian.org/debian-lts-announce/2021/03/msg00028.html";Assigned (20210303);"None (candidate not yet proposed)";"" -2.11.10;2;11;10;CVE-2021-32743;Candidate;"Icinga is a monitoring system which checks the availability of network resources; notifies users of outages; and generates performance data for reporting. In versions prior to 2.11.10 and from version 2.12.0 through version 2.12.4; some of the Icinga 2 features that require credentials for external services expose those credentials through the API to authenticated API users with read permissions for the corresponding object types. IdoMysqlConnection and IdoPgsqlConnection (every released version) exposes the password of the user used to connect to the database. IcingaDB (added in 2.12.0) exposes the password used to connect to the Redis server. ElasticsearchWriter (added in 2.8.0)exposes the password used to connect to the Elasticsearch server. An attacker who obtains these credentials can impersonate Icinga to these services and add; modify and delete information there. If credentials with more permissions are in use; this increases the impact accordingly. Starting with the 2.11.10 and 2.12.5 releases; these passwords are no longer exposed via the API. As a workaround; API user permissions can be restricted to not allow querying of any affected objects; either by explicitly listing only the required object types for object query permissions; or by applying a filter rule.";"CONFIRM:https://github.com/Icinga/icinga2/security/advisories/GHSA-wrpw-pmr8-qgj7 | URL:https://github.com/Icinga/icinga2/security/advisories/GHSA-wrpw-pmr8-qgj7 | MISC:https://icinga.com/blog/2021/07/15/releasing-icinga-2-12-5-and-2-11-10/ | URL:https://icinga.com/blog/2021/07/15/releasing-icinga-2-12-5-and-2-11-10/";Assigned (20210512);"None (candidate not yet proposed)";"" -2.12.0;2;12;0;CVE-2021-32743;Candidate;"Icinga is a monitoring system which checks the availability of network resources; notifies users of outages; and generates performance data for reporting. In versions prior to 2.11.10 and from version 2.12.0 through version 2.12.4; some of the Icinga 2 features that require credentials for external services expose those credentials through the API to authenticated API users with read permissions for the corresponding object types. IdoMysqlConnection and IdoPgsqlConnection (every released version) exposes the password of the user used to connect to the database. IcingaDB (added in 2.12.0) exposes the password used to connect to the Redis server. ElasticsearchWriter (added in 2.8.0)exposes the password used to connect to the Elasticsearch server. An attacker who obtains these credentials can impersonate Icinga to these services and add; modify and delete information there. If credentials with more permissions are in use; this increases the impact accordingly. Starting with the 2.11.10 and 2.12.5 releases; these passwords are no longer exposed via the API. As a workaround; API user permissions can be restricted to not allow querying of any affected objects; either by explicitly listing only the required object types for object query permissions; or by applying a filter rule.";"CONFIRM:https://github.com/Icinga/icinga2/security/advisories/GHSA-wrpw-pmr8-qgj7 | URL:https://github.com/Icinga/icinga2/security/advisories/GHSA-wrpw-pmr8-qgj7 | MISC:https://icinga.com/blog/2021/07/15/releasing-icinga-2-12-5-and-2-11-10/ | URL:https://icinga.com/blog/2021/07/15/releasing-icinga-2-12-5-and-2-11-10/";Assigned (20210512);"None (candidate not yet proposed)";"" -2.12.4;2;12;4;CVE-2021-32743;Candidate;"Icinga is a monitoring system which checks the availability of network resources; notifies users of outages; and generates performance data for reporting. In versions prior to 2.11.10 and from version 2.12.0 through version 2.12.4; some of the Icinga 2 features that require credentials for external services expose those credentials through the API to authenticated API users with read permissions for the corresponding object types. IdoMysqlConnection and IdoPgsqlConnection (every released version) exposes the password of the user used to connect to the database. IcingaDB (added in 2.12.0) exposes the password used to connect to the Redis server. ElasticsearchWriter (added in 2.8.0)exposes the password used to connect to the Elasticsearch server. An attacker who obtains these credentials can impersonate Icinga to these services and add; modify and delete information there. If credentials with more permissions are in use; this increases the impact accordingly. Starting with the 2.11.10 and 2.12.5 releases; these passwords are no longer exposed via the API. As a workaround; API user permissions can be restricted to not allow querying of any affected objects; either by explicitly listing only the required object types for object query permissions; or by applying a filter rule.";"CONFIRM:https://github.com/Icinga/icinga2/security/advisories/GHSA-wrpw-pmr8-qgj7 | URL:https://github.com/Icinga/icinga2/security/advisories/GHSA-wrpw-pmr8-qgj7 | MISC:https://icinga.com/blog/2021/07/15/releasing-icinga-2-12-5-and-2-11-10/ | URL:https://icinga.com/blog/2021/07/15/releasing-icinga-2-12-5-and-2-11-10/";Assigned (20210512);"None (candidate not yet proposed)";"" -2.8.0;2;8;0;CVE-2021-32743;Candidate;"Icinga is a monitoring system which checks the availability of network resources; notifies users of outages; and generates performance data for reporting. In versions prior to 2.11.10 and from version 2.12.0 through version 2.12.4; some of the Icinga 2 features that require credentials for external services expose those credentials through the API to authenticated API users with read permissions for the corresponding object types. IdoMysqlConnection and IdoPgsqlConnection (every released version) exposes the password of the user used to connect to the database. IcingaDB (added in 2.12.0) exposes the password used to connect to the Redis server. ElasticsearchWriter (added in 2.8.0)exposes the password used to connect to the Elasticsearch server. An attacker who obtains these credentials can impersonate Icinga to these services and add; modify and delete information there. If credentials with more permissions are in use; this increases the impact accordingly. Starting with the 2.11.10 and 2.12.5 releases; these passwords are no longer exposed via the API. As a workaround; API user permissions can be restricted to not allow querying of any affected objects; either by explicitly listing only the required object types for object query permissions; or by applying a filter rule.";"CONFIRM:https://github.com/Icinga/icinga2/security/advisories/GHSA-wrpw-pmr8-qgj7 | URL:https://github.com/Icinga/icinga2/security/advisories/GHSA-wrpw-pmr8-qgj7 | MISC:https://icinga.com/blog/2021/07/15/releasing-icinga-2-12-5-and-2-11-10/ | URL:https://icinga.com/blog/2021/07/15/releasing-icinga-2-12-5-and-2-11-10/";Assigned (20210512);"None (candidate not yet proposed)";"" -2.12.5;2;12;5;CVE-2021-32743;Candidate;"Icinga is a monitoring system which checks the availability of network resources; notifies users of outages; and generates performance data for reporting. In versions prior to 2.11.10 and from version 2.12.0 through version 2.12.4; some of the Icinga 2 features that require credentials for external services expose those credentials through the API to authenticated API users with read permissions for the corresponding object types. IdoMysqlConnection and IdoPgsqlConnection (every released version) exposes the password of the user used to connect to the database. IcingaDB (added in 2.12.0) exposes the password used to connect to the Redis server. ElasticsearchWriter (added in 2.8.0)exposes the password used to connect to the Elasticsearch server. An attacker who obtains these credentials can impersonate Icinga to these services and add; modify and delete information there. If credentials with more permissions are in use; this increases the impact accordingly. Starting with the 2.11.10 and 2.12.5 releases; these passwords are no longer exposed via the API. As a workaround; API user permissions can be restricted to not allow querying of any affected objects; either by explicitly listing only the required object types for object query permissions; or by applying a filter rule.";"CONFIRM:https://github.com/Icinga/icinga2/security/advisories/GHSA-wrpw-pmr8-qgj7 | URL:https://github.com/Icinga/icinga2/security/advisories/GHSA-wrpw-pmr8-qgj7 | MISC:https://icinga.com/blog/2021/07/15/releasing-icinga-2-12-5-and-2-11-10/ | URL:https://icinga.com/blog/2021/07/15/releasing-icinga-2-12-5-and-2-11-10/";Assigned (20210512);"None (candidate not yet proposed)";"" 19.0.5;19;0;5;CVE-2021-33894;Candidate;"In Progress MOVEit Transfer before 2019.0.6 (11.0.6); 2019.1.x before 2019.1.5 (11.1.5); 2019.2.x before 2019.2.2 (11.2.2); 2020.x before 2020.0.5 (12.0.5); 2020.1.x before 2020.1.4 (12.1.4); and 2021.x before 2021.0.1 (13.0.1); a SQL injection vulnerability exists in SILUtility.vb in MOVEit.DMZ.WebApp in the MOVEit Transfer web app. This could allow an authenticated attacker to gain unauthorized access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database and/or execute SQL statements that alter or delete database elements.";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-June-2021 | MISC:https://www.progress.com/moveit";Assigned (20210606);"None (candidate not yet proposed)";"" 11.0.5;11;0;5;CVE-2021-33894;Candidate;"In Progress MOVEit Transfer before 2019.0.6 (11.0.6); 2019.1.x before 2019.1.5 (11.1.5); 2019.2.x before 2019.2.2 (11.2.2); 2020.x before 2020.0.5 (12.0.5); 2020.1.x before 2020.1.4 (12.1.4); and 2021.x before 2021.0.1 (13.0.1); a SQL injection vulnerability exists in SILUtility.vb in MOVEit.DMZ.WebApp in the MOVEit Transfer web app. This could allow an authenticated attacker to gain unauthorized access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database and/or execute SQL statements that alter or delete database elements.";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-June-2021 | MISC:https://www.progress.com/moveit";Assigned (20210606);"None (candidate not yet proposed)";"" 19.1.4;19;1;4;CVE-2021-33894;Candidate;"In Progress MOVEit Transfer before 2019.0.6 (11.0.6); 2019.1.x before 2019.1.5 (11.1.5); 2019.2.x before 2019.2.2 (11.2.2); 2020.x before 2020.0.5 (12.0.5); 2020.1.x before 2020.1.4 (12.1.4); and 2021.x before 2021.0.1 (13.0.1); a SQL injection vulnerability exists in SILUtility.vb in MOVEit.DMZ.WebApp in the MOVEit Transfer web app. This could allow an authenticated attacker to gain unauthorized access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database and/or execute SQL statements that alter or delete database elements.";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-June-2021 | MISC:https://www.progress.com/moveit";Assigned (20210606);"None (candidate not yet proposed)";"" @@ -1509,27 +1462,3 @@ 12.1.3;12;1;3;CVE-2021-33894;Candidate;"In Progress MOVEit Transfer before 2019.0.6 (11.0.6); 2019.1.x before 2019.1.5 (11.1.5); 2019.2.x before 2019.2.2 (11.2.2); 2020.x before 2020.0.5 (12.0.5); 2020.1.x before 2020.1.4 (12.1.4); and 2021.x before 2021.0.1 (13.0.1); a SQL injection vulnerability exists in SILUtility.vb in MOVEit.DMZ.WebApp in the MOVEit Transfer web app. This could allow an authenticated attacker to gain unauthorized access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database and/or execute SQL statements that alter or delete database elements.";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-June-2021 | MISC:https://www.progress.com/moveit";Assigned (20210606);"None (candidate not yet proposed)";"" 21.0.0;21;0;0;CVE-2021-33894;Candidate;"In Progress MOVEit Transfer before 2019.0.6 (11.0.6); 2019.1.x before 2019.1.5 (11.1.5); 2019.2.x before 2019.2.2 (11.2.2); 2020.x before 2020.0.5 (12.0.5); 2020.1.x before 2020.1.4 (12.1.4); and 2021.x before 2021.0.1 (13.0.1); a SQL injection vulnerability exists in SILUtility.vb in MOVEit.DMZ.WebApp in the MOVEit Transfer web app. This could allow an authenticated attacker to gain unauthorized access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database and/or execute SQL statements that alter or delete database elements.";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-June-2021 | MISC:https://www.progress.com/moveit";Assigned (20210606);"None (candidate not yet proposed)";"" 13.0.0;13;0;0;CVE-2021-33894;Candidate;"In Progress MOVEit Transfer before 2019.0.6 (11.0.6); 2019.1.x before 2019.1.5 (11.1.5); 2019.2.x before 2019.2.2 (11.2.2); 2020.x before 2020.0.5 (12.0.5); 2020.1.x before 2020.1.4 (12.1.4); and 2021.x before 2021.0.1 (13.0.1); a SQL injection vulnerability exists in SILUtility.vb in MOVEit.DMZ.WebApp in the MOVEit Transfer web app. This could allow an authenticated attacker to gain unauthorized access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database and/or execute SQL statements that alter or delete database elements.";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-June-2021 | MISC:https://www.progress.com/moveit";Assigned (20210606);"None (candidate not yet proposed)";"" -21.0.2;21;0;2;CVE-2021-37614;Candidate;"In certain Progress MOVEit Transfer versions before 2021.0.3 (aka 13.0.3); SQL injection in the MOVEit Transfer web application could allow an authenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; or execute SQL statements that alter or delete database elements; via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.7 (11.0.7); 2019.1.6 (11.1.6); 2019.2.3 (11.2.3); 2020.0.6 (12.0.6); 2020.1.5 (12.1.5); and 2021.0.3 (13.0.3).";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-2021 | MISC:https://docs.ipswitch.com/MOVEit/Transfer2019/ReleaseNotes/en/index.htm#48648.htm | MISC:https://docs.ipswitch.com/MOVEit/Transfer2020/ReleaseNotes/en/index.htm#50951.htm | MISC:https://docs.ipswitch.com/MOVEit/Transfer2021/ReleaseNotes/en/index.htm#link8";Assigned (20210729);"None (candidate not yet proposed)";"" -13.0.2;13;0;2;CVE-2021-37614;Candidate;"In certain Progress MOVEit Transfer versions before 2021.0.3 (aka 13.0.3); SQL injection in the MOVEit Transfer web application could allow an authenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; or execute SQL statements that alter or delete database elements; via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.7 (11.0.7); 2019.1.6 (11.1.6); 2019.2.3 (11.2.3); 2020.0.6 (12.0.6); 2020.1.5 (12.1.5); and 2021.0.3 (13.0.3).";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-2021 | MISC:https://docs.ipswitch.com/MOVEit/Transfer2019/ReleaseNotes/en/index.htm#48648.htm | MISC:https://docs.ipswitch.com/MOVEit/Transfer2020/ReleaseNotes/en/index.htm#50951.htm | MISC:https://docs.ipswitch.com/MOVEit/Transfer2021/ReleaseNotes/en/index.htm#link8";Assigned (20210729);"None (candidate not yet proposed)";"" -19.0.6;19;0;6;CVE-2021-37614;Candidate;"In certain Progress MOVEit Transfer versions before 2021.0.3 (aka 13.0.3); SQL injection in the MOVEit Transfer web application could allow an authenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; or execute SQL statements that alter or delete database elements; via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.7 (11.0.7); 2019.1.6 (11.1.6); 2019.2.3 (11.2.3); 2020.0.6 (12.0.6); 2020.1.5 (12.1.5); and 2021.0.3 (13.0.3).";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-2021 | MISC:https://docs.ipswitch.com/MOVEit/Transfer2019/ReleaseNotes/en/index.htm#48648.htm | MISC:https://docs.ipswitch.com/MOVEit/Transfer2020/ReleaseNotes/en/index.htm#50951.htm | MISC:https://docs.ipswitch.com/MOVEit/Transfer2021/ReleaseNotes/en/index.htm#link8";Assigned (20210729);"None (candidate not yet proposed)";"" -11.0.6;11;0;6;CVE-2021-37614;Candidate;"In certain Progress MOVEit Transfer versions before 2021.0.3 (aka 13.0.3); SQL injection in the MOVEit Transfer web application could allow an authenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; or execute SQL statements that alter or delete database elements; via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.7 (11.0.7); 2019.1.6 (11.1.6); 2019.2.3 (11.2.3); 2020.0.6 (12.0.6); 2020.1.5 (12.1.5); and 2021.0.3 (13.0.3).";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-2021 | MISC:https://docs.ipswitch.com/MOVEit/Transfer2019/ReleaseNotes/en/index.htm#48648.htm | MISC:https://docs.ipswitch.com/MOVEit/Transfer2020/ReleaseNotes/en/index.htm#50951.htm | MISC:https://docs.ipswitch.com/MOVEit/Transfer2021/ReleaseNotes/en/index.htm#link8";Assigned (20210729);"None (candidate not yet proposed)";"" -19.1.5;19;1;5;CVE-2021-37614;Candidate;"In certain Progress MOVEit Transfer versions before 2021.0.3 (aka 13.0.3); SQL injection in the MOVEit Transfer web application could allow an authenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; or execute SQL statements that alter or delete database elements; via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.7 (11.0.7); 2019.1.6 (11.1.6); 2019.2.3 (11.2.3); 2020.0.6 (12.0.6); 2020.1.5 (12.1.5); and 2021.0.3 (13.0.3).";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-2021 | MISC:https://docs.ipswitch.com/MOVEit/Transfer2019/ReleaseNotes/en/index.htm#48648.htm | MISC:https://docs.ipswitch.com/MOVEit/Transfer2020/ReleaseNotes/en/index.htm#50951.htm | MISC:https://docs.ipswitch.com/MOVEit/Transfer2021/ReleaseNotes/en/index.htm#link8";Assigned (20210729);"None (candidate not yet proposed)";"" -11.1.5;11;1;5;CVE-2021-37614;Candidate;"In certain Progress MOVEit Transfer versions before 2021.0.3 (aka 13.0.3); SQL injection in the MOVEit Transfer web application could allow an authenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; or execute SQL statements that alter or delete database elements; via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.7 (11.0.7); 2019.1.6 (11.1.6); 2019.2.3 (11.2.3); 2020.0.6 (12.0.6); 2020.1.5 (12.1.5); and 2021.0.3 (13.0.3).";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-2021 | MISC:https://docs.ipswitch.com/MOVEit/Transfer2019/ReleaseNotes/en/index.htm#48648.htm | MISC:https://docs.ipswitch.com/MOVEit/Transfer2020/ReleaseNotes/en/index.htm#50951.htm | MISC:https://docs.ipswitch.com/MOVEit/Transfer2021/ReleaseNotes/en/index.htm#link8";Assigned (20210729);"None (candidate not yet proposed)";"" -19.2.2;19;2;2;CVE-2021-37614;Candidate;"In certain Progress MOVEit Transfer versions before 2021.0.3 (aka 13.0.3); SQL injection in the MOVEit Transfer web application could allow an authenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; or execute SQL statements that alter or delete database elements; via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.7 (11.0.7); 2019.1.6 (11.1.6); 2019.2.3 (11.2.3); 2020.0.6 (12.0.6); 2020.1.5 (12.1.5); and 2021.0.3 (13.0.3).";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-2021 | MISC:https://docs.ipswitch.com/MOVEit/Transfer2019/ReleaseNotes/en/index.htm#48648.htm | MISC:https://docs.ipswitch.com/MOVEit/Transfer2020/ReleaseNotes/en/index.htm#50951.htm | MISC:https://docs.ipswitch.com/MOVEit/Transfer2021/ReleaseNotes/en/index.htm#link8";Assigned (20210729);"None (candidate not yet proposed)";"" -11.2.2;11;2;2;CVE-2021-37614;Candidate;"In certain Progress MOVEit Transfer versions before 2021.0.3 (aka 13.0.3); SQL injection in the MOVEit Transfer web application could allow an authenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; or execute SQL statements that alter or delete database elements; via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.7 (11.0.7); 2019.1.6 (11.1.6); 2019.2.3 (11.2.3); 2020.0.6 (12.0.6); 2020.1.5 (12.1.5); and 2021.0.3 (13.0.3).";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-2021 | MISC:https://docs.ipswitch.com/MOVEit/Transfer2019/ReleaseNotes/en/index.htm#48648.htm | MISC:https://docs.ipswitch.com/MOVEit/Transfer2020/ReleaseNotes/en/index.htm#50951.htm | MISC:https://docs.ipswitch.com/MOVEit/Transfer2021/ReleaseNotes/en/index.htm#link8";Assigned (20210729);"None (candidate not yet proposed)";"" -20.0.5;20;0;5;CVE-2021-37614;Candidate;"In certain Progress MOVEit Transfer versions before 2021.0.3 (aka 13.0.3); SQL injection in the MOVEit Transfer web application could allow an authenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; or execute SQL statements that alter or delete database elements; via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.7 (11.0.7); 2019.1.6 (11.1.6); 2019.2.3 (11.2.3); 2020.0.6 (12.0.6); 2020.1.5 (12.1.5); and 2021.0.3 (13.0.3).";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-2021 | MISC:https://docs.ipswitch.com/MOVEit/Transfer2019/ReleaseNotes/en/index.htm#48648.htm | MISC:https://docs.ipswitch.com/MOVEit/Transfer2020/ReleaseNotes/en/index.htm#50951.htm | MISC:https://docs.ipswitch.com/MOVEit/Transfer2021/ReleaseNotes/en/index.htm#link8";Assigned (20210729);"None (candidate not yet proposed)";"" -12.0.5;12;0;5;CVE-2021-37614;Candidate;"In certain Progress MOVEit Transfer versions before 2021.0.3 (aka 13.0.3); SQL injection in the MOVEit Transfer web application could allow an authenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; or execute SQL statements that alter or delete database elements; via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.7 (11.0.7); 2019.1.6 (11.1.6); 2019.2.3 (11.2.3); 2020.0.6 (12.0.6); 2020.1.5 (12.1.5); and 2021.0.3 (13.0.3).";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-2021 | MISC:https://docs.ipswitch.com/MOVEit/Transfer2019/ReleaseNotes/en/index.htm#48648.htm | MISC:https://docs.ipswitch.com/MOVEit/Transfer2020/ReleaseNotes/en/index.htm#50951.htm | MISC:https://docs.ipswitch.com/MOVEit/Transfer2021/ReleaseNotes/en/index.htm#link8";Assigned (20210729);"None (candidate not yet proposed)";"" -20.1.4;20;1;4;CVE-2021-37614;Candidate;"In certain Progress MOVEit Transfer versions before 2021.0.3 (aka 13.0.3); SQL injection in the MOVEit Transfer web application could allow an authenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; or execute SQL statements that alter or delete database elements; via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.7 (11.0.7); 2019.1.6 (11.1.6); 2019.2.3 (11.2.3); 2020.0.6 (12.0.6); 2020.1.5 (12.1.5); and 2021.0.3 (13.0.3).";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-2021 | MISC:https://docs.ipswitch.com/MOVEit/Transfer2019/ReleaseNotes/en/index.htm#48648.htm | MISC:https://docs.ipswitch.com/MOVEit/Transfer2020/ReleaseNotes/en/index.htm#50951.htm | MISC:https://docs.ipswitch.com/MOVEit/Transfer2021/ReleaseNotes/en/index.htm#link8";Assigned (20210729);"None (candidate not yet proposed)";"" -12.1.4;12;1;4;CVE-2021-37614;Candidate;"In certain Progress MOVEit Transfer versions before 2021.0.3 (aka 13.0.3); SQL injection in the MOVEit Transfer web application could allow an authenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; or execute SQL statements that alter or delete database elements; via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.7 (11.0.7); 2019.1.6 (11.1.6); 2019.2.3 (11.2.3); 2020.0.6 (12.0.6); 2020.1.5 (12.1.5); and 2021.0.3 (13.0.3).";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-2021 | MISC:https://docs.ipswitch.com/MOVEit/Transfer2019/ReleaseNotes/en/index.htm#48648.htm | MISC:https://docs.ipswitch.com/MOVEit/Transfer2020/ReleaseNotes/en/index.htm#50951.htm | MISC:https://docs.ipswitch.com/MOVEit/Transfer2021/ReleaseNotes/en/index.htm#link8";Assigned (20210729);"None (candidate not yet proposed)";"" -21.0.3;21;0;3;CVE-2021-38159;Candidate;"In certain Progress MOVEit Transfer versions before 2021.0.4 (aka 13.0.4); SQL injection in the MOVEit Transfer web application could allow an unauthenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; or execute SQL statements that alter or delete database elements; via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.8 (11.0.8); 2019.1.7 (11.1.7); 2019.2.4 (11.2.4); 2020.0.7 (12.0.7); 2020.1.6 (12.1.6); and 2021.0.4 (13.0.4).";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-6-2021 | MISC:https://www.progress.com/moveit";Assigned (20210807);"None (candidate not yet proposed)";"" -13.0.3;13;0;3;CVE-2021-38159;Candidate;"In certain Progress MOVEit Transfer versions before 2021.0.4 (aka 13.0.4); SQL injection in the MOVEit Transfer web application could allow an unauthenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; or execute SQL statements that alter or delete database elements; via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.8 (11.0.8); 2019.1.7 (11.1.7); 2019.2.4 (11.2.4); 2020.0.7 (12.0.7); 2020.1.6 (12.1.6); and 2021.0.4 (13.0.4).";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-6-2021 | MISC:https://www.progress.com/moveit";Assigned (20210807);"None (candidate not yet proposed)";"" -19.0.7;19;0;7;CVE-2021-38159;Candidate;"In certain Progress MOVEit Transfer versions before 2021.0.4 (aka 13.0.4); SQL injection in the MOVEit Transfer web application could allow an unauthenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; or execute SQL statements that alter or delete database elements; via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.8 (11.0.8); 2019.1.7 (11.1.7); 2019.2.4 (11.2.4); 2020.0.7 (12.0.7); 2020.1.6 (12.1.6); and 2021.0.4 (13.0.4).";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-6-2021 | MISC:https://www.progress.com/moveit";Assigned (20210807);"None (candidate not yet proposed)";"" -11.0.7;11;0;7;CVE-2021-38159;Candidate;"In certain Progress MOVEit Transfer versions before 2021.0.4 (aka 13.0.4); SQL injection in the MOVEit Transfer web application could allow an unauthenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; or execute SQL statements that alter or delete database elements; via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.8 (11.0.8); 2019.1.7 (11.1.7); 2019.2.4 (11.2.4); 2020.0.7 (12.0.7); 2020.1.6 (12.1.6); and 2021.0.4 (13.0.4).";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-6-2021 | MISC:https://www.progress.com/moveit";Assigned (20210807);"None (candidate not yet proposed)";"" -19.1.6;19;1;6;CVE-2021-38159;Candidate;"In certain Progress MOVEit Transfer versions before 2021.0.4 (aka 13.0.4); SQL injection in the MOVEit Transfer web application could allow an unauthenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; or execute SQL statements that alter or delete database elements; via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.8 (11.0.8); 2019.1.7 (11.1.7); 2019.2.4 (11.2.4); 2020.0.7 (12.0.7); 2020.1.6 (12.1.6); and 2021.0.4 (13.0.4).";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-6-2021 | MISC:https://www.progress.com/moveit";Assigned (20210807);"None (candidate not yet proposed)";"" -11.1.6;11;1;6;CVE-2021-38159;Candidate;"In certain Progress MOVEit Transfer versions before 2021.0.4 (aka 13.0.4); SQL injection in the MOVEit Transfer web application could allow an unauthenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; or execute SQL statements that alter or delete database elements; via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.8 (11.0.8); 2019.1.7 (11.1.7); 2019.2.4 (11.2.4); 2020.0.7 (12.0.7); 2020.1.6 (12.1.6); and 2021.0.4 (13.0.4).";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-6-2021 | MISC:https://www.progress.com/moveit";Assigned (20210807);"None (candidate not yet proposed)";"" -19.2.3;19;2;3;CVE-2021-38159;Candidate;"In certain Progress MOVEit Transfer versions before 2021.0.4 (aka 13.0.4); SQL injection in the MOVEit Transfer web application could allow an unauthenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; or execute SQL statements that alter or delete database elements; via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.8 (11.0.8); 2019.1.7 (11.1.7); 2019.2.4 (11.2.4); 2020.0.7 (12.0.7); 2020.1.6 (12.1.6); and 2021.0.4 (13.0.4).";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-6-2021 | MISC:https://www.progress.com/moveit";Assigned (20210807);"None (candidate not yet proposed)";"" -11.2.3;11;2;3;CVE-2021-38159;Candidate;"In certain Progress MOVEit Transfer versions before 2021.0.4 (aka 13.0.4); SQL injection in the MOVEit Transfer web application could allow an unauthenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; or execute SQL statements that alter or delete database elements; via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.8 (11.0.8); 2019.1.7 (11.1.7); 2019.2.4 (11.2.4); 2020.0.7 (12.0.7); 2020.1.6 (12.1.6); and 2021.0.4 (13.0.4).";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-6-2021 | MISC:https://www.progress.com/moveit";Assigned (20210807);"None (candidate not yet proposed)";"" -20.0.6;20;0;6;CVE-2021-38159;Candidate;"In certain Progress MOVEit Transfer versions before 2021.0.4 (aka 13.0.4); SQL injection in the MOVEit Transfer web application could allow an unauthenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; or execute SQL statements that alter or delete database elements; via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.8 (11.0.8); 2019.1.7 (11.1.7); 2019.2.4 (11.2.4); 2020.0.7 (12.0.7); 2020.1.6 (12.1.6); and 2021.0.4 (13.0.4).";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-6-2021 | MISC:https://www.progress.com/moveit";Assigned (20210807);"None (candidate not yet proposed)";"" -12.0.6;12;0;6;CVE-2021-38159;Candidate;"In certain Progress MOVEit Transfer versions before 2021.0.4 (aka 13.0.4); SQL injection in the MOVEit Transfer web application could allow an unauthenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; or execute SQL statements that alter or delete database elements; via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.8 (11.0.8); 2019.1.7 (11.1.7); 2019.2.4 (11.2.4); 2020.0.7 (12.0.7); 2020.1.6 (12.1.6); and 2021.0.4 (13.0.4).";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-6-2021 | MISC:https://www.progress.com/moveit";Assigned (20210807);"None (candidate not yet proposed)";"" -20.1.5;20;1;5;CVE-2021-38159;Candidate;"In certain Progress MOVEit Transfer versions before 2021.0.4 (aka 13.0.4); SQL injection in the MOVEit Transfer web application could allow an unauthenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; or execute SQL statements that alter or delete database elements; via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.8 (11.0.8); 2019.1.7 (11.1.7); 2019.2.4 (11.2.4); 2020.0.7 (12.0.7); 2020.1.6 (12.1.6); and 2021.0.4 (13.0.4).";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-6-2021 | MISC:https://www.progress.com/moveit";Assigned (20210807);"None (candidate not yet proposed)";"" -12.1.5;12;1;5;CVE-2021-38159;Candidate;"In certain Progress MOVEit Transfer versions before 2021.0.4 (aka 13.0.4); SQL injection in the MOVEit Transfer web application could allow an unauthenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; or execute SQL statements that alter or delete database elements; via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.8 (11.0.8); 2019.1.7 (11.1.7); 2019.2.4 (11.2.4); 2020.0.7 (12.0.7); 2020.1.6 (12.1.6); and 2021.0.4 (13.0.4).";"CONFIRM:https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-6-2021 | MISC:https://www.progress.com/moveit";Assigned (20210807);"None (candidate not yet proposed)";""