#VU19264 Authentication bypass using an alternate path or channel in MySQL Connectors - CVE-2018-3258

Cybersecurity Help s.r.o.

Published: 2019-07-19

Vulnerability identifier: #VU19264

Vulnerability risk: High

CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2018-3258

CWE-ID: CWE-288

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
MySQL Connectors
Hardware solutions / Drivers

Vendor: Oracle

Description

The vulnerability allows an attacker to operate the product.

The vulnerability exists due to the access control bypass in the in the "Connector/J" component. A remote authenticated attacker with network access via multiple protocols can takeover the MySQL Connectors.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

MySQL Connectors: 2.0.4 - 8.0.12

External links
https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Authentication bypass using an alternate path or channel in Oracle MySQL Connectors