Source: mysql-8.0 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerabilities were published for mysql-8.0. CVE-2024-21247[0]: | Vulnerability in the MySQL Client product of Oracle MySQL | (component: Client: mysqldump). Supported versions that are | affected are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. | Easily exploitable vulnerability allows high privileged attacker | with network access via multiple protocols to compromise MySQL | Client. Successful attacks of this vulnerability can result in | unauthorized update, insert or delete access to some of MySQL Client | accessible data as well as unauthorized read access to a subset of | MySQL Client accessible data. CVSS 3.1 Base Score 3.8 | (Confidentiality and Integrity impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N). CVE-2024-21241[1]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Optimizer). Supported versions that are | affected are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. | Easily exploitable vulnerability allows high privileged attacker | with network access via multiple protocols to compromise MySQL | Server. Successful attacks of this vulnerability can result in | unauthorized ability to cause a hang or frequently repeatable crash | (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 | (Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21239[2]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: InnoDB). Supported versions that are affected are | 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily | exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21238[3]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Thread Pooling). Supported versions that are | affected are 8.0.39 and prior, 8.4.1 and prior and 9.0.1 and prior. | Difficult to exploit vulnerability allows low privileged attacker | with network access via multiple protocols to compromise MySQL | Server. Successful attacks of this vulnerability can result in | unauthorized ability to cause a hang or frequently repeatable crash | (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.3 | (Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21237[4]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Group Replication GCS). Supported versions that | are affected are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and | prior. Difficult to exploit vulnerability allows high privileged | attacker with network access via multiple protocols to compromise | MySQL Server. Successful attacks of this vulnerability can result | in unauthorized ability to cause a partial denial of service | (partial DOS) of MySQL Server. CVSS 3.1 Base Score 2.2 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L). CVE-2024-21236[5]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: InnoDB). Supported versions that are affected are | 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily | exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21231[6]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Client programs). Supported versions that are affected | are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. | Difficult to exploit vulnerability allows low privileged attacker | with network access via multiple protocols to compromise MySQL | Server. Successful attacks of this vulnerability can result in | unauthorized ability to cause a partial denial of service (partial | DOS) of MySQL Server. CVSS 3.1 Base Score 3.1 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L). CVE-2024-21230[7]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Optimizer). Supported versions that are | affected are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. | Easily exploitable vulnerability allows low privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21219[8]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: DML). Supported versions that are affected are | 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily | exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21218[9]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: InnoDB). Supported versions that are affected are | 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily | exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21213[10]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: InnoDB). Supported versions that are affected are | 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily | exploitable vulnerability allows high privileged attacker with logon | to the infrastructure where MySQL Server executes to compromise | MySQL Server. Successful attacks require human interaction from a | person other than the attacker. Successful attacks of this | vulnerability can result in unauthorized ability to cause a hang or | frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 | Base Score 4.2 (Availability impacts). CVSS Vector: | (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H). CVE-2024-21212[11]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Health Monitor). Supported versions that are | affected are 8.0.39 and prior and 8.4.0. Difficult to exploit | vulnerability allows high privileged attacker with network access | via multiple protocols to compromise MySQL Server. Successful | attacks of this vulnerability can result in unauthorized ability to | cause a hang or frequently repeatable crash (complete DOS) of MySQL | Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS | Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21203[12]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: FTS). Supported versions that are affected are | 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily | exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21201[13]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Optimizer). Supported versions that are | affected are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. | Easily exploitable vulnerability allows high privileged attacker | with network access via multiple protocols to compromise MySQL | Server. Successful attacks of this vulnerability can result in | unauthorized ability to cause a hang or frequently repeatable crash | (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 | (Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21199[14]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: InnoDB). Supported versions that are affected are | 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily | exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21198[15]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: DDL). Supported versions that are affected are | 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily | exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21197[16]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Information Schema). Supported versions that | are affected are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and | prior. Easily exploitable vulnerability allows high privileged | attacker with network access via multiple protocols to compromise | MySQL Server. Successful attacks of this vulnerability can result | in unauthorized ability to cause a hang or frequently repeatable | crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 | (Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21196[17]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: X Plugin). Supported versions that are affected | are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily | exploitable vulnerability allows low privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21194[18]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: InnoDB). Supported versions that are affected are | 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily | exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21193[19]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: PS). Supported versions that are affected are | 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily | exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-21247 https://www.cve.org/CVERecord?id=CVE-2024-21247 [1] https://security-tracker.debian.org/tracker/CVE-2024-21241 https://www.cve.org/CVERecord?id=CVE-2024-21241 [2] https://security-tracker.debian.org/tracker/CVE-2024-21239 https://www.cve.org/CVERecord?id=CVE-2024-21239 [3] https://security-tracker.debian.org/tracker/CVE-2024-21238 https://www.cve.org/CVERecord?id=CVE-2024-21238 [4] https://security-tracker.debian.org/tracker/CVE-2024-21237 https://www.cve.org/CVERecord?id=CVE-2024-21237 [5] https://security-tracker.debian.org/tracker/CVE-2024-21236 https://www.cve.org/CVERecord?id=CVE-2024-21236 [6] https://security-tracker.debian.org/tracker/CVE-2024-21231 https://www.cve.org/CVERecord?id=CVE-2024-21231 [7] https://security-tracker.debian.org/tracker/CVE-2024-21230 https://www.cve.org/CVERecord?id=CVE-2024-21230 [8] https://security-tracker.debian.org/tracker/CVE-2024-21219 https://www.cve.org/CVERecord?id=CVE-2024-21219 [9] https://security-tracker.debian.org/tracker/CVE-2024-21218 https://www.cve.org/CVERecord?id=CVE-2024-21218 [10] https://security-tracker.debian.org/tracker/CVE-2024-21213 https://www.cve.org/CVERecord?id=CVE-2024-21213 [11] https://security-tracker.debian.org/tracker/CVE-2024-21212 https://www.cve.org/CVERecord?id=CVE-2024-21212 [12] https://security-tracker.debian.org/tracker/CVE-2024-21203 https://www.cve.org/CVERecord?id=CVE-2024-21203 [13] https://security-tracker.debian.org/tracker/CVE-2024-21201 https://www.cve.org/CVERecord?id=CVE-2024-21201 [14] https://security-tracker.debian.org/tracker/CVE-2024-21199 https://www.cve.org/CVERecord?id=CVE-2024-21199 [15] https://security-tracker.debian.org/tracker/CVE-2024-21198 https://www.cve.org/CVERecord?id=CVE-2024-21198 [16] https://security-tracker.debian.org/tracker/CVE-2024-21197 https://www.cve.org/CVERecord?id=CVE-2024-21197 [17] https://security-tracker.debian.org/tracker/CVE-2024-21196 https://www.cve.org/CVERecord?id=CVE-2024-21196 [18] https://security-tracker.debian.org/tracker/CVE-2024-21194 https://www.cve.org/CVERecord?id=CVE-2024-21194 [19] https://security-tracker.debian.org/tracker/CVE-2024-21193 https://www.cve.org/CVERecord?id=CVE-2024-21193 Please adjust the affected versions in the BTS as needed.
