Multiple vulnerabilities in MySQL Cluster
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2022-21519 CVE-2022-21550 CVE-2022-21824 |
| CWE-ID | CWE-20 CWE-191 CWE-94 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
MySQL Cluster Web applications / Remote management & hosting panels |
| Vendor | Oracle |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Improper input validation
EUVDB-ID: #VU65507
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-21519
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Cluster: General component in MySQL Cluster. A remote non-authenticated attacker can exploit this vulnerability to perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsMySQL Cluster: 8.0.16 - 8.0.29
CPE2.3 External linkshttps://www.oracle.com/security-alerts/cpujul2022.html?62368
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Integer underflow
EUVDB-ID: #VU65506
Risk: Medium
CVSSv4.0: 6.1 [CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-21550
CWE-ID:
CWE-191 - Integer underflow
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to integer underflow when processing Data Node jobs. A remote user can send a specially crafted input to the affected application, trigger integer an underflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsMySQL Cluster: 7.4.1 - 8.0.29
CPE2.3- cpe:2.3:a:oracle:mysql_cluster:7.4.36:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mysql_cluster:7.5.26:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mysql_cluster:7.6.22:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpujul2022.html?62368
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Prototype pollution
EUVDB-ID: #VU59551
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-21824
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to the formatting logic of the console.table() function. A remote attacker can send a specially crafted request and assign an empty string to numerical keys of the object prototype.
Install update from vendor's website.
Vulnerable software versionsMySQL Cluster: 8.0.16 - 8.0.29
CPE2.3https://www.oracle.com/security-alerts/cpujul2022.html?62368
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
