hhf/MySQLTuner-perl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updates doc and CVE

Browse source
This commit is contained in:
Jean-Marie Renouard 2023-06-07 19:29:41 +02:00
parent c378782015
commit 90cf069aa6
4 changed files with 136 additions and 80 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
FEATURES.md
View file

@ -52,6 +52,7 @@ Features list for option: --feature (dev only)
* infoprinthcmd
* infoprintml
* is_open_port
* is_remote()
* is_virtual_machine
* log_file_recommendations
* make_recommendations

6
USAGE.md
View file

@ -1,6 +1,6 @@
# NAME
MySQLTuner 2.1.1 - MySQL High Performance Tuning Script
MySQLTuner 2.1.5 - MySQL High Performance Tuning Script
# IMPORTANT USAGE GUIDELINES
@ -43,8 +43,8 @@ You must provide the remote server's total memory when connecting to other serve
--reportfile <path> Path to a report txt file
--template <path> Path to a template file
--dumpdir <path> Path to a directory where to dump information files
# OUTPUT OPTIONS
--feature <feature> Run a specific feature (see FEATURES section)
=head1 OUTPUT OPTIONS
--silent Don't output anything on screen
--verbose Print out all options (default: no verbose, dbstat, idxstat, sysstat, tbstat, pfstat)

163
mysqltuner.pl
View file

@ -275,17 +275,21 @@ sub prettyprint {
print $_[0] . "\n" unless ( $opt{'silent'} or $opt{'json'} );
print $fh $_[0] . "\n" if defined($fh);
}
sub goodprint {
prettyprint $good. " " . $_[0] unless ( $opt{nogood} == 1 );
sub goodprint {
prettyprint $good. " " . $_[0] unless ( $opt{nogood} == 1 );
}
sub infoprint {
prettyprint $info. " " . $_[0] unless ( $opt{noinfo} == 1 );
sub infoprint {
prettyprint $info. " " . $_[0] unless ( $opt{noinfo} == 1 );
}
sub badprint {
prettyprint $bad. " " . $_[0] unless ( $opt{nobad} == 1 );
sub badprint {
prettyprint $bad. " " . $_[0] unless ( $opt{nobad} == 1 );
}
sub debugprint {
prettyprint $deb. " " . $_[0] unless ( $opt{debug} == 0 );
prettyprint $deb. " " . $_[0] unless ( $opt{debug} == 0 );
}
sub redwrap {
@ -295,12 +299,13 @@ sub redwrap {
sub greenwrap {
return ( $opt{nocolor} == 0 ) ? "\e[0;32m" . $_[0] . "\e[0m" : $_[0];
}
sub cmdprint {
prettyprint $cmd. " " . $_[0] . $end;
prettyprint $cmd. " " . $_[0] . $end;
}
sub infoprintml {
for my $ln (@_) { $ln =~ s/\n//g; infoprint "\t$ln"; }
for my $ln (@_) { $ln =~ s/\n//g; infoprint "\t$ln"; }
}
sub infoprintcmd {
@ -329,6 +334,7 @@ sub is_remote() {
return 0 if ( $host eq '127.0.0.1' );
return 1;
}
# Calculates the number of physical cores considering HyperThreading
sub cpu_cores {
if ( $^O eq 'linux' ) {
@ -785,15 +791,14 @@ sub mysql_setup {
chomp( $opt{host} );
# If we're doing a remote connection, but forcemem wasn't specified, we need to exit
if ( $opt{'forcemem'} eq 0 && is_remote eq 1 )
{
if ( $opt{'forcemem'} eq 0 && is_remote eq 1 ) {
badprint "The --forcemem option is required for remote connections";
exit 1;
}
infoprint "Performing tests on $opt{host}:$opt{port}";
$remotestring = " -h $opt{host} -P $opt{port}";
$doremote = is_remote();
$doremote = is_remote();
}
else {
$opt{host} = '127.0.0.1';
@ -965,7 +970,7 @@ sub mysql_setup {
unless ( -e "${userpath}/.my.cnf" or -e "${userpath}/.mylogin.cnf" )
{
badprint
"SECURITY RISK: Successfully authenticated without password";
"SECURITY RISK: Successfully authenticated without password";
}
return 1;
}
@ -1070,6 +1075,7 @@ sub select_array_with_headers {
chomp(@result);
return @result;
}
# MySQL Request Array
sub select_csv_file {
my $tfile = shift;
@ -1423,9 +1429,8 @@ sub get_log_file_real_path {
}
sub log_file_recommendations {
if ( is_remote eq 1 )
{
infoprint "Skipping error log files checks on remote host";
if ( is_remote eq 1 ) {
infoprint "Skipping error log files checks on remote host";
}
my $fh;
$myvar{'log_error'} = $opt{'server-log'}
@ -1788,10 +1793,10 @@ sub infocmd_one {
sub get_kernel_info {
my @params = (
'fs.aio-max-nr', 'fs.aio-nr', 'fs.nr_open',
'fs.file-max', 'sunrpc.tcp_fin_timeout',
'sunrpc.tcp_max_slot_table_entries', 'sunrpc.tcp_slot_table_entries',
'vm.swappiness'
'fs.aio-max-nr', 'fs.aio-nr',
'fs.nr_open', 'fs.file-max',
'sunrpc.tcp_fin_timeout', 'sunrpc.tcp_max_slot_table_entries',
'sunrpc.tcp_slot_table_entries', 'vm.swappiness'
);
infoprint "Information about kernel tuning:";
foreach my $param (@params) {
@ -1803,7 +1808,7 @@ sub get_kernel_info {
"Swappiness is > 10, please consider having a value lower than 10";
push @generalrec, "setup swappiness lower or equal to 10";
push @adjvars,
'vm.swappiness <= 10 (echo 10 > /proc/sys/vm/swappiness) or vm.swappiness=10 in /etc/sysctl.conf';
'vm.swappiness <= 10 (echo 10 > /proc/sys/vm/swappiness) or vm.swappiness=10 in /etc/sysctl.conf';
}
else {
infoprint "Swappiness is < 10.";
@ -1831,7 +1836,7 @@ sub get_kernel_info {
"Max running total of the number of max. events is < 1M, please consider having a value greater than 1M";
push @generalrec, "setup Max running number events greater than 1M";
push @adjvars,
'fs.aio-max-nr > 1M (echo 1048576 > /proc/sys/fs/aio-max-nr) or fs.aio-max-nr=1048576 in /etc/sysctl.conf';
'fs.aio-max-nr > 1M (echo 1048576 > /proc/sys/fs/aio-max-nr) or fs.aio-max-nr=1048576 in /etc/sysctl.conf';
}
else {
infoprint "Max Number of AIO events is > 1M.";
@ -1841,9 +1846,10 @@ sub get_kernel_info {
if ( `sysctl -n fs.nr_open` < 1000000 ) {
badprint
"Max running total of the number of file open request is < 1M, please consider having a value greater than 1M";
push @generalrec, "setup running number of open request greater than 1M";
push @generalrec,
"setup running number of open request greater than 1M";
push @adjvars,
'fs.aio-nr > 1M (echo 1048576 > /proc/sys/fs/nr_open) or fs.nr_open=1048576 in /etc/sysctl.conf';
'fs.aio-nr > 1M (echo 1048576 > /proc/sys/fs/nr_open) or fs.nr_open=1048576 in /etc/sysctl.conf';
}
else {
infoprint "Max Number of open file requests is > 1M.";
@ -1899,8 +1905,7 @@ sub get_system_info {
}
infoprint "External IP : " . $ext_ip;
$result{'Network'}{'External Ip'} = $ext_ip;
badprint
"External IP : Can't check, no Internet connectivity"
badprint "External IP : Can't check, no Internet connectivity"
unless defined($httpcli);
infoprint "Name Servers : "
. infocmd_one "grep 'nameserver' /etc/resolv.conf \| awk '{print \$2}'";
@ -1920,10 +1925,9 @@ sub get_system_info {
}
sub system_recommendations {
if ( is_remote eq 1 )
{
infoprint "Skipping system checks on remote host";
return;
if ( is_remote eq 1 ) {
infoprint "Skipping system checks on remote host";
return;
}
return if ( $opt{sysstat} == 0 );
subheaderprint "System Linux Recommendations";
@ -2390,10 +2394,9 @@ sub mysql_version_le {
my ($arch);
sub check_architecture {
if ( is_remote eq 1 )
{
infoprint "Skipping architecture check on remote host";
return;
if ( is_remote eq 1 ) {
infoprint "Skipping architecture check on remote host";
return;
}
if ( `uname` =~ /SunOS/ && `isainfo -b` =~ /64/ ) {
$arch = 64;
@ -3315,7 +3318,9 @@ sub mysql_stats {
push( @adjvars, "skip-name-resolve=0" );
}
}
elsif ( $result{'Variables'}{'skip_name_resolve'} ne 'OFF' and $result{'Variables'}{'skip_name_resolve'} ne '0' ) {
elsif ( $result{'Variables'}{'skip_name_resolve'} ne 'OFF'
and $result{'Variables'}{'skip_name_resolve'} ne '0' )
{
badprint
"Name resolution is active: a reverse name resolution is made for each new connection which can reduce performance";
push( @generalrec,
@ -3358,38 +3363,42 @@ sub mysql_stats {
"query_cache_limit (> "
. hr_bytes_rnd( $myvar{'query_cache_limit'} )
. ", or use smaller result sets)" );
badprint "Query cache may be disabled by default due to mutex contention.";
badprint
"Query cache may be disabled by default due to mutex contention.";
push( @adjvars, "query_cache_size (=0)" );
push( @adjvars, "query_cache_type (=0)" );
} else {
goodprint
"Query cache efficiency: $mycalc{'query_cache_efficiency'}% ("
. hr_num( $mystat{'Qcache_hits'} )
. " cached / "
. hr_num( $mystat{'Qcache_hits'} + $mystat{'Com_select'} )
. " selects)";
if ( $mycalc{'query_cache_prunes_per_day'} > 98 ) {
badprint
"Query cache prunes per day: $mycalc{'query_cache_prunes_per_day'}";
if ( $myvar{'query_cache_size'} >= 128 * 1024 * 1024 ) {
push( @generalrec,
"Increasing the query_cache size over 128M may reduce performance"
);
push( @adjvars,
"query_cache_size (> "
. hr_bytes_rnd( $myvar{'query_cache_size'} )
. ") [see warning above]" );
}
else {
push( @adjvars,
"query_cache_size (> "
. hr_bytes_rnd( $myvar{'query_cache_size'} )
. ")" );
}
} else {
goodprint "Query cache prunes per day: $mycalc{'query_cache_prunes_per_day'}";
}
}
else {
goodprint
"Query cache efficiency: $mycalc{'query_cache_efficiency'}% ("
. hr_num( $mystat{'Qcache_hits'} )
. " cached / "
. hr_num( $mystat{'Qcache_hits'} + $mystat{'Com_select'} )
. " selects)";
if ( $mycalc{'query_cache_prunes_per_day'} > 98 ) {
badprint
"Query cache prunes per day: $mycalc{'query_cache_prunes_per_day'}";
if ( $myvar{'query_cache_size'} >= 128 * 1024 * 1024 ) {
push( @generalrec,
"Increasing the query_cache size over 128M may reduce performance"
);
push( @adjvars,
"query_cache_size (> "
. hr_bytes_rnd( $myvar{'query_cache_size'} )
. ") [see warning above]" );
}
else {
push( @adjvars,
"query_cache_size (> "
. hr_bytes_rnd( $myvar{'query_cache_size'} )
. ")" );
}
}
else {
goodprint
"Query cache prunes per day: $mycalc{'query_cache_prunes_per_day'}";
}
}
}
@ -4009,7 +4018,8 @@ sub mysql_pfs {
"select * from sys.\`$sys_view\`"
);
}
#exit 0 if ( $opt{stop} == 1 );
#exit 0 if ( $opt{stop} == 1 );
}
# Top user per connection
@ -6230,7 +6240,8 @@ sub mysql_innodb {
$mystat{'Innodb_log_waits_computed'} = 0;
if ( defined( $mystat{'Innodb_log_waits'} )
and defined( $mystat{'Innodb_log_writes'} ) and $mystat{'Innodb_log_writes'} > 0.000001 )
and defined( $mystat{'Innodb_log_writes'} )
and $mystat{'Innodb_log_writes'} > 0.000001 )
{
$mystat{'Innodb_log_waits_computed'} =
$mystat{'Innodb_log_waits'} / $mystat{'Innodb_log_writes'};
@ -6536,6 +6547,7 @@ sub mysql_tables {
}
infoprint("Dumpdir: $opt{dumpdir}");
# Store all information schema in dumpdir if defined
if ( defined $opt{dumpdir} and -d "$opt{dumpdir}" ) {
for my $info_s_table (
@ -6547,6 +6559,7 @@ sub mysql_tables {
"select * from information_schema.$info_s_table"
);
}
#exit 0 if ( $opt{stop} == 1 );
}
foreach ( select_user_dbs() ) {
@ -6971,13 +6984,13 @@ get_all_vars; # Toss variables/status into hashes
get_tuning_info; # Get information about the tuning connection
calculations; # Calculate everything we need
if ($opt{'feature'} ne '') {
subheaderprint "See FEATURES.md for more information";
no strict 'refs';
for my $feature (split /,/, $opt{'feature'}) {
subheaderprint "Running feature: $opt{'feature'}";
$feature->();
}
if ( $opt{'feature'} ne '' ) {
subheaderprint "See FEATURES.md for more information";
no strict 'refs';
for my $feature ( split /,/, $opt{'feature'} ) {
subheaderprint "Running feature: $opt{'feature'}";
$feature->();
}
exit(0);
}
validate_mysql_version; # Check current MySQL version
@ -6999,7 +7012,7 @@ security_recommendations; # Display some security recommendations
cve_recommendations; # Display related CVE
mysql_stats; # Print the server stats
mysql_pfs; # Print Performance schema info
mysql_pfs; # Print Performance schema info
mariadb_threadpool; # Print MariaDB ThreadPool stats
mysql_myisam; # Print MyISAM stats

46
vulnerabilities.csv
View file

@ -1716,8 +1716,8 @@
1.3.0;1;3;0;CVE-2022-44644;Candidate;"In Apache Linkis <=1.3.0 when used with the MySQL Connector/J in the data source module; an authenticated attacker could read arbitrary local files by connecting a rogue MySQL server; By adding allowLoadLocalInfile to true in the JDBC parameter. Therefore; the parameters in the JDBC URL should be blacklisted. Versions of Apache Linkis <= 1.3.0 will be affected. We recommend users upgrade the version of Linkis to version 1.3.1";"MISC:https://lists.apache.org/thread/hwq9ytq6y1kdh9lz5znptkcrdll9x85h | URL:https://lists.apache.org/thread/hwq9ytq6y1kdh9lz5znptkcrdll9x85h";Assigned (20221103);"None (candidate not yet proposed)";""
1.3.1;1;3;1;CVE-2022-44644;Candidate;"In Apache Linkis <=1.3.0 when used with the MySQL Connector/J in the data source module; an authenticated attacker could read arbitrary local files by connecting a rogue MySQL server; By adding allowLoadLocalInfile to true in the JDBC parameter. Therefore; the parameters in the JDBC URL should be blacklisted. Versions of Apache Linkis <= 1.3.0 will be affected. We recommend users upgrade the version of Linkis to version 1.3.1";"MISC:https://lists.apache.org/thread/hwq9ytq6y1kdh9lz5znptkcrdll9x85h | URL:https://lists.apache.org/thread/hwq9ytq6y1kdh9lz5znptkcrdll9x85h";Assigned (20221103);"None (candidate not yet proposed)";""
3.17.0;3;17;0;CVE-2022-45136;Candidate;"** UNSUPPORTED WHEN ASSIGNED ** Apache Jena SDB 3.17.0 and earlier is vulnerable to a JDBC Deserialisation attack if the attacker is able to control the JDBC URL used or cause the underlying database server to return malicious data. The mySQL JDBC driver in particular is known to be vulnerable to this class of attack. As a result an application using Apache Jena SDB can be subject to RCE when connected to a malicious database server. Apache Jena SDB has been EOL since December 2020 and users should migrate to alternative options e.g. Apache Jena TDB 2.";"MISC:https://lists.apache.org/thread/mc77cdl5stgjtjoldk467gdf756qjt31 | URL:https://lists.apache.org/thread/mc77cdl5stgjtjoldk467gdf756qjt31 | MLIST:[oss-security] 20221114 CVE-2022-45136: JDBC Deserialisation in Apache Jena SDB | URL:http://www.openwall.com/lists/oss-security/2022/11/14/5";Assigned (20221110);"None (candidate not yet proposed)";""
10.3.33;10;3;33;CVE-2022-47015;Candidate;"MariaDB Server before 10.3.34 thru 10.9.3 is vulnerable to Denial of Service. It is possible for function spider_db_mbase::print_warnings to dereference a null pointer.";"CONFIRM:https://security.netapp.com/advisory/ntap-20230309-0009/ | MISC:https://github.com/MariaDB/server/commit/be0a46b3d52b58956fd0d47d040b9f4514406954 | URL:https://github.com/MariaDB/server/commit/be0a46b3d52b58956fd0d47d040b9f4514406954";Assigned (20221212);"None (candidate not yet proposed)";""
10.9.2;10;9;2;CVE-2022-47015;Candidate;"MariaDB Server before 10.3.34 thru 10.9.3 is vulnerable to Denial of Service. It is possible for function spider_db_mbase::print_warnings to dereference a null pointer.";"CONFIRM:https://security.netapp.com/advisory/ntap-20230309-0009/ | MISC:https://github.com/MariaDB/server/commit/be0a46b3d52b58956fd0d47d040b9f4514406954 | URL:https://github.com/MariaDB/server/commit/be0a46b3d52b58956fd0d47d040b9f4514406954";Assigned (20221212);"None (candidate not yet proposed)";""
10.3.33;10;3;33;CVE-2022-47015;Candidate;"MariaDB Server before 10.3.34 thru 10.9.3 is vulnerable to Denial of Service. It is possible for function spider_db_mbase::print_warnings to dereference a null pointer.";"CONFIRM:https://security.netapp.com/advisory/ntap-20230309-0009/ | MISC:https://github.com/MariaDB/server/commit/be0a46b3d52b58956fd0d47d040b9f4514406954 | URL:https://github.com/MariaDB/server/commit/be0a46b3d52b58956fd0d47d040b9f4514406954 | MLIST:[debian-lts-announce] 20230604 [SECURITY] [DLA 3444-1] mariadb-10.3 security update | URL:https://lists.debian.org/debian-lts-announce/2023/06/msg00005.html";Assigned (20221212);"None (candidate not yet proposed)";""
10.9.2;10;9;2;CVE-2022-47015;Candidate;"MariaDB Server before 10.3.34 thru 10.9.3 is vulnerable to Denial of Service. It is possible for function spider_db_mbase::print_warnings to dereference a null pointer.";"CONFIRM:https://security.netapp.com/advisory/ntap-20230309-0009/ | MISC:https://github.com/MariaDB/server/commit/be0a46b3d52b58956fd0d47d040b9f4514406954 | URL:https://github.com/MariaDB/server/commit/be0a46b3d52b58956fd0d47d040b9f4514406954 | MLIST:[debian-lts-announce] 20230604 [SECURITY] [DLA 3444-1] mariadb-10.3 security update | URL:https://lists.debian.org/debian-lts-announce/2023/06/msg00005.html";Assigned (20221212);"None (candidate not yet proposed)";""
8.0.31;8;0;31;CVE-2023-21836;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpujan2023.html";Assigned (20221217);"None (candidate not yet proposed)";""
5.7.40;5;7;40;CVE-2023-21840;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: PS). Supported versions that are affected are 5.7.40 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpujan2023.html";Assigned (20221217);"None (candidate not yet proposed)";""
8.0.31;8;0;31;CVE-2023-21863;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpujan2023.html";Assigned (20221217);"None (candidate not yet proposed)";""
@ -1742,4 +1742,46 @@
8.0.31;8;0;31;CVE-2023-21882;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update; insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 2.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N).";"MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpujan2023.html";Assigned (20221217);"None (candidate not yet proposed)";""
8.0.31;8;0;31;CVE-2023-21883;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpujan2023.html";Assigned (20221217);"None (candidate not yet proposed)";""
8.0.31;8;0;31;CVE-2023-21887;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: GIS). Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpujan2023.html";Assigned (20221217);"None (candidate not yet proposed)";""
8.0.32;8;0;32;CVE-2023-21911;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230427-0007/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpuapr2023.html";Assigned (20221217);"None (candidate not yet proposed)";""
5.7.41;5;7;41;CVE-2023-21912;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 5.7.41 and prior and 8.0.30 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230427-0007/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpuapr2023.html";Assigned (20221217);"None (candidate not yet proposed)";""
8.0.30;8;0;30;CVE-2023-21912;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 5.7.41 and prior and 8.0.30 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230427-0007/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpuapr2023.html";Assigned (20221217);"None (candidate not yet proposed)";""
8.0.31;8;0;31;CVE-2023-21913;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230427-0007/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpuapr2023.html";Assigned (20221217);"None (candidate not yet proposed)";""
8.0.30;8;0;30;CVE-2023-21917;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230427-0007/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpuapr2023.html";Assigned (20221217);"None (candidate not yet proposed)";""
8.0.32;8;0;32;CVE-2023-21919;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230427-0007/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpuapr2023.html";Assigned (20221217);"None (candidate not yet proposed)";""
8.0.32;8;0;32;CVE-2023-21920;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230427-0007/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpuapr2023.html";Assigned (20221217);"None (candidate not yet proposed)";""
8.0.32;8;0;32;CVE-2023-21929;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update; insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230427-0007/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpuapr2023.html";Assigned (20221217);"None (candidate not yet proposed)";""
8.0.32;8;0;32;CVE-2023-21933;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230427-0007/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpuapr2023.html";Assigned (20221217);"None (candidate not yet proposed)";""
8.0.32;8;0;32;CVE-2023-21935;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230427-0007/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpuapr2023.html";Assigned (20221217);"None (candidate not yet proposed)";""
8.0.32;8;0;32;CVE-2023-21940;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Components Services). Supported versions that are affected are 8.0.32 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230427-0007/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpuapr2023.html";Assigned (20221217);"None (candidate not yet proposed)";""
8.0.32;8;0;32;CVE-2023-21945;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230427-0007/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpuapr2023.html";Assigned (20221217);"None (candidate not yet proposed)";""
8.0.32;8;0;32;CVE-2023-21946;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230427-0007/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpuapr2023.html";Assigned (20221217);"None (candidate not yet proposed)";""
8.0.32;8;0;32;CVE-2023-21947;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Components Services). Supported versions that are affected are 8.0.32 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230427-0007/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpuapr2023.html";Assigned (20221217);"None (candidate not yet proposed)";""
8.0.32;8;0;32;CVE-2023-21953;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Partition). Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230427-0007/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpuapr2023.html";Assigned (20221217);"None (candidate not yet proposed)";""
8.0.32;8;0;32;CVE-2023-21955;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Partition). Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230427-0007/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpuapr2023.html";Assigned (20221217);"None (candidate not yet proposed)";""
8.0.32;8;0;32;CVE-2023-21962;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Components Services). Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230427-0007/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpuapr2023.html";Assigned (20221217);"None (candidate not yet proposed)";""
5.7.40;5;7;40;CVE-2023-21963;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Connection Handling). Supported versions that are affected are 5.7.40 and prior and 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 2.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230427-0007/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpuapr2023.html";Assigned (20221217);"None (candidate not yet proposed)";""
8.0.31;8;0;31;CVE-2023-21963;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Connection Handling). Supported versions that are affected are 5.7.40 and prior and 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 2.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230427-0007/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpuapr2023.html";Assigned (20221217);"None (candidate not yet proposed)";""
8.0.32;8;0;32;CVE-2023-21966;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: JSON). Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230427-0007/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpuapr2023.html";Assigned (20221217);"None (candidate not yet proposed)";""
8.0.32;8;0;32;CVE-2023-21972;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230427-0007/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpuapr2023.html";Assigned (20221217);"None (candidate not yet proposed)";""
8.0.32;8;0;32;CVE-2023-21976;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230427-0007/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpuapr2023.html";Assigned (20221217);"None (candidate not yet proposed)";""
8.0.32;8;0;32;CVE-2023-21977;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230427-0007/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpuapr2023.html";Assigned (20221217);"None (candidate not yet proposed)";""
5.7.41;5;7;41;CVE-2023-21980;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Client programs). Supported versions that are affected are 5.7.41 and prior and 8.0.32 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.1 Base Score 7.1 (Confidentiality; Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230427-0007/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpuapr2023.html";Assigned (20221217);"None (candidate not yet proposed)";""
8.0.32;8;0;32;CVE-2023-21980;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Client programs). Supported versions that are affected are 5.7.41 and prior and 8.0.32 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.1 Base Score 7.1 (Confidentiality; Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230427-0007/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpuapr2023.html";Assigned (20221217);"None (candidate not yet proposed)";""
8.0.32;8;0;32;CVE-2023-21982;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230427-0007/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpuapr2023.html";Assigned (20221217);"None (candidate not yet proposed)";""
7.0.0;7;0;0;CVE-2023-22974;Candidate;"A Path Traversal in setup.php in OpenEMR < 7.0.0 allows remote unauthenticated users to read arbitrary files by controlling a connection to an attacker-controlled MySQL server.";"MISC:https://www.open-emr.org/wiki/index.php/OpenEMR_Patches#7.0.0_Patch_.2811.2F30.2F22.29 | MISC:https://www.sonarsource.com/blog/openemr-remote-code-execution-in-your-healthcare-system/";Assigned (20230111);"None (candidate not yet proposed)";""
20.5.0;20;5;0;CVE-2023-28630;Candidate;"GoCD is an open source continuous delivery server. In GoCD versions from 20.5.0 and below 23.1.0; if the server environment is not correctly configured by administrators to provide access to the relevant PostgreSQL or MySQL backup tools; the credentials for database access may be unintentionally leaked to admin alerts on the GoCD user interface. The vulnerability is triggered only if the GoCD server host is misconfigured to have backups enabled; but does not have access to the `pg_dump` or `mysqldump` utility tools to backup the configured database type (PostgreSQL or MySQL respectively). In such cases; failure to launch the expected backup utility reports the shell environment used to attempt to launch in the server admin alert; which includes the plaintext database password supplied to the configured tool. This vulnerability does not affect backups of the default on-disk H2 database that GoCD is configured to use. This issue has been addressed and fixed in GoCD 23.1.0. Users are advised to upgrade. Users unable to upgrade may disable backups; or administrators should ensure that the required `pg_dump` (PostgreSQL) or `mysqldump` (MySQL) binaries are available on the GoCD server when backups are triggered.";"MISC:https://github.com/gocd/gocd/commit/6545481e7b36817dd6033bf614585a8db242070d | URL:https://github.com/gocd/gocd/commit/6545481e7b36817dd6033bf614585a8db242070d | MISC:https://github.com/gocd/gocd/releases/tag/23.1.0 | URL:https://github.com/gocd/gocd/releases/tag/23.1.0 | MISC:https://github.com/gocd/gocd/security/advisories/GHSA-p95w-gh78-qjmv | URL:https://github.com/gocd/gocd/security/advisories/GHSA-p95w-gh78-qjmv | MISC:https://www.gocd.org/releases/#23-1-0 | URL:https://www.gocd.org/releases/#23-1-0";Assigned (20230320);"None (candidate not yet proposed)";""
23.1.0;23;1;0;CVE-2023-28630;Candidate;"GoCD is an open source continuous delivery server. In GoCD versions from 20.5.0 and below 23.1.0; if the server environment is not correctly configured by administrators to provide access to the relevant PostgreSQL or MySQL backup tools; the credentials for database access may be unintentionally leaked to admin alerts on the GoCD user interface. The vulnerability is triggered only if the GoCD server host is misconfigured to have backups enabled; but does not have access to the `pg_dump` or `mysqldump` utility tools to backup the configured database type (PostgreSQL or MySQL respectively). In such cases; failure to launch the expected backup utility reports the shell environment used to attempt to launch in the server admin alert; which includes the plaintext database password supplied to the configured tool. This vulnerability does not affect backups of the default on-disk H2 database that GoCD is configured to use. This issue has been addressed and fixed in GoCD 23.1.0. Users are advised to upgrade. Users unable to upgrade may disable backups; or administrators should ensure that the required `pg_dump` (PostgreSQL) or `mysqldump` (MySQL) binaries are available on the GoCD server when backups are triggered.";"MISC:https://github.com/gocd/gocd/commit/6545481e7b36817dd6033bf614585a8db242070d | URL:https://github.com/gocd/gocd/commit/6545481e7b36817dd6033bf614585a8db242070d | MISC:https://github.com/gocd/gocd/releases/tag/23.1.0 | URL:https://github.com/gocd/gocd/releases/tag/23.1.0 | MISC:https://github.com/gocd/gocd/security/advisories/GHSA-p95w-gh78-qjmv | URL:https://github.com/gocd/gocd/security/advisories/GHSA-p95w-gh78-qjmv | MISC:https://www.gocd.org/releases/#23-1-0 | URL:https://www.gocd.org/releases/#23-1-0";Assigned (20230320);"None (candidate not yet proposed)";""
16.0.2;16;0;2;CVE-2023-29195;Candidate;"Vitess is a database clustering system for horizontal scaling of MySQL through generalized sharding. Prior to version 16.0.2; users can either intentionally or inadvertently create a shard containing `/` characters from VTAdmin such that from that point on; anyone who tries to create a new shard from VTAdmin will receive an error. Attempting to view the keyspace(s) will also no longer work. Creating a shard using `vtctldclient` does not have the same problem because the CLI validates the input correctly. Version 16.0.2; corresponding to version 0.16.2 of the `go` module; contains a patch for this issue. Some workarounds are available. Always use `vtctldclient` to create shards; instead of using VTAdmin; disable creating shards from VTAdmin using RBAC; and/or delete the topology record for the offending shard using the client for your topology server.";"MISC:https://github.com/vitessio/vitess/commit/9dcbd7de3180f47e94f54989fb5c66daea00c920 | URL:https://github.com/vitessio/vitess/commit/9dcbd7de3180f47e94f54989fb5c66daea00c920 | MISC:https://github.com/vitessio/vitess/issues/12842 | URL:https://github.com/vitessio/vitess/issues/12842 | MISC:https://github.com/vitessio/vitess/pull/12843 | URL:https://github.com/vitessio/vitess/pull/12843 | MISC:https://github.com/vitessio/vitess/releases/tag/v16.0.2 | URL:https://github.com/vitessio/vitess/releases/tag/v16.0.2 | MISC:https://github.com/vitessio/vitess/security/advisories/GHSA-pqj7-jx24-wj7w | URL:https://github.com/vitessio/vitess/security/advisories/GHSA-pqj7-jx24-wj7w | MISC:https://pkg.go.dev/vitess.io/vitess@v0.16.2 | URL:https://pkg.go.dev/vitess.io/vitess@v0.16.2";Assigned (20230403);"None (candidate not yet proposed)";""
0.16.2;0;16;2;CVE-2023-29195;Candidate;"Vitess is a database clustering system for horizontal scaling of MySQL through generalized sharding. Prior to version 16.0.2; users can either intentionally or inadvertently create a shard containing `/` characters from VTAdmin such that from that point on; anyone who tries to create a new shard from VTAdmin will receive an error. Attempting to view the keyspace(s) will also no longer work. Creating a shard using `vtctldclient` does not have the same problem because the CLI validates the input correctly. Version 16.0.2; corresponding to version 0.16.2 of the `go` module; contains a patch for this issue. Some workarounds are available. Always use `vtctldclient` to create shards; instead of using VTAdmin; disable creating shards from VTAdmin using RBAC; and/or delete the topology record for the offending shard using the client for your topology server.";"MISC:https://github.com/vitessio/vitess/commit/9dcbd7de3180f47e94f54989fb5c66daea00c920 | URL:https://github.com/vitessio/vitess/commit/9dcbd7de3180f47e94f54989fb5c66daea00c920 | MISC:https://github.com/vitessio/vitess/issues/12842 | URL:https://github.com/vitessio/vitess/issues/12842 | MISC:https://github.com/vitessio/vitess/pull/12843 | URL:https://github.com/vitessio/vitess/pull/12843 | MISC:https://github.com/vitessio/vitess/releases/tag/v16.0.2 | URL:https://github.com/vitessio/vitess/releases/tag/v16.0.2 | MISC:https://github.com/vitessio/vitess/security/advisories/GHSA-pqj7-jx24-wj7w | URL:https://github.com/vitessio/vitess/security/advisories/GHSA-pqj7-jx24-wj7w | MISC:https://pkg.go.dev/vitess.io/vitess@v0.16.2 | URL:https://pkg.go.dev/vitess.io/vitess@v0.16.2";Assigned (20230403);"None (candidate not yet proposed)";""
0.3.0;0;3;0;CVE-2023-31847;Candidate;"In davinci 0.3.0-rc after logging in; the user can connect to the mysql malicious server by controlling the data source to read arbitrary files on the client side.";"MISC:https://github.com/edp963/davinci/issues/2326";Assigned (20230429);"None (candidate not yet proposed)";""
21.0.5;21;0;5;CVE-2023-34362;Candidate;"In Progress MOVEit Transfer before 2021.0.6 (13.0.6); 2021.1.4 (13.1.4); 2022.0.4 (14.0.4); 2022.1.5 (14.1.5); and 2023.0.1 (15.0.1); a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g.; 2020.0 and 2019x) before the five explicitly mentioned versions are affected; including older unsupported versions.";"MISC:https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023";Assigned (20230602);"None (candidate not yet proposed)";""
13.0.5;13;0;5;CVE-2023-34362;Candidate;"In Progress MOVEit Transfer before 2021.0.6 (13.0.6); 2021.1.4 (13.1.4); 2022.0.4 (14.0.4); 2022.1.5 (14.1.5); and 2023.0.1 (15.0.1); a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g.; 2020.0 and 2019x) before the five explicitly mentioned versions are affected; including older unsupported versions.";"MISC:https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023";Assigned (20230602);"None (candidate not yet proposed)";""
21.1.3;21;1;3;CVE-2023-34362;Candidate;"In Progress MOVEit Transfer before 2021.0.6 (13.0.6); 2021.1.4 (13.1.4); 2022.0.4 (14.0.4); 2022.1.5 (14.1.5); and 2023.0.1 (15.0.1); a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g.; 2020.0 and 2019x) before the five explicitly mentioned versions are affected; including older unsupported versions.";"MISC:https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023";Assigned (20230602);"None (candidate not yet proposed)";""
13.1.3;13;1;3;CVE-2023-34362;Candidate;"In Progress MOVEit Transfer before 2021.0.6 (13.0.6); 2021.1.4 (13.1.4); 2022.0.4 (14.0.4); 2022.1.5 (14.1.5); and 2023.0.1 (15.0.1); a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g.; 2020.0 and 2019x) before the five explicitly mentioned versions are affected; including older unsupported versions.";"MISC:https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023";Assigned (20230602);"None (candidate not yet proposed)";""
22.0.3;22;0;3;CVE-2023-34362;Candidate;"In Progress MOVEit Transfer before 2021.0.6 (13.0.6); 2021.1.4 (13.1.4); 2022.0.4 (14.0.4); 2022.1.5 (14.1.5); and 2023.0.1 (15.0.1); a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g.; 2020.0 and 2019x) before the five explicitly mentioned versions are affected; including older unsupported versions.";"MISC:https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023";Assigned (20230602);"None (candidate not yet proposed)";""
14.0.3;14;0;3;CVE-2023-34362;Candidate;"In Progress MOVEit Transfer before 2021.0.6 (13.0.6); 2021.1.4 (13.1.4); 2022.0.4 (14.0.4); 2022.1.5 (14.1.5); and 2023.0.1 (15.0.1); a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g.; 2020.0 and 2019x) before the five explicitly mentioned versions are affected; including older unsupported versions.";"MISC:https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023";Assigned (20230602);"None (candidate not yet proposed)";""
22.1.4;22;1;4;CVE-2023-34362;Candidate;"In Progress MOVEit Transfer before 2021.0.6 (13.0.6); 2021.1.4 (13.1.4); 2022.0.4 (14.0.4); 2022.1.5 (14.1.5); and 2023.0.1 (15.0.1); a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g.; 2020.0 and 2019x) before the five explicitly mentioned versions are affected; including older unsupported versions.";"MISC:https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023";Assigned (20230602);"None (candidate not yet proposed)";""
14.1.4;14;1;4;CVE-2023-34362;Candidate;"In Progress MOVEit Transfer before 2021.0.6 (13.0.6); 2021.1.4 (13.1.4); 2022.0.4 (14.0.4); 2022.1.5 (14.1.5); and 2023.0.1 (15.0.1); a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g.; 2020.0 and 2019x) before the five explicitly mentioned versions are affected; including older unsupported versions.";"MISC:https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023";Assigned (20230602);"None (candidate not yet proposed)";""
23.0.0;23;0;0;CVE-2023-34362;Candidate;"In Progress MOVEit Transfer before 2021.0.6 (13.0.6); 2021.1.4 (13.1.4); 2022.0.4 (14.0.4); 2022.1.5 (14.1.5); and 2023.0.1 (15.0.1); a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g.; 2020.0 and 2019x) before the five explicitly mentioned versions are affected; including older unsupported versions.";"MISC:https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023";Assigned (20230602);"None (candidate not yet proposed)";""
15.0.0;15;0;0;CVE-2023-34362;Candidate;"In Progress MOVEit Transfer before 2021.0.6 (13.0.6); 2021.1.4 (13.1.4); 2022.0.4 (14.0.4); 2022.1.5 (14.1.5); and 2023.0.1 (15.0.1); a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g.; 2020.0 and 2019x) before the five explicitly mentioned versions are affected; including older unsupported versions.";"MISC:https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023";Assigned (20230602);"None (candidate not yet proposed)";""
2.37.0;2;37;0;CVE-2023-34409;Candidate;"In Percona Monitoring and Management (PMM) server 2.x before 2.37.1; the authenticate function in auth_server.go does not properly formalize and sanitize URL paths to reject path traversal attempts. This allows an unauthenticated remote user; when a crafted POST request is made against unauthenticated API routes; to access otherwise protected API routes leading to escalation of privileges and information disclosure.";"MISC:https://www.percona.com/blog/pmm-authentication-bypass-vulnerability-fixed-in-2-37-1/";Assigned (20230605);"None (candidate not yet proposed)";""

Can't render this file because it is too large.