OpenCVE

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: Internal Operations). Supported versions that are affected are 7.4.38 and prior, 7.5.28 and prior, 7.6.24 and prior and 8.0.31 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Oracle	Mysql Cluster

Configuration 1 [-]

OR	cpe:2.3:a:oracle:mysql_cluster::::::::
	cpe:2.3:a:oracle:mysql_cluster::::::::
	cpe:2.3:a:oracle:mysql_cluster::::::::
	cpe:2.3:a:oracle:mysql_cluster::::::::

No data.

References

Link	Providers
https://www.oracle.com/security-alerts/cpujan2023.html

History

Tue, 17 Sep 2024 03:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-284

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2023-01-18T00:15:07.824Z

Updated: 2024-09-16T19:31:57.963Z

Reserved: 2022-12-17T19:26:00.695Z

Link: CVE-2023-21860

Vulnrichment

Updated: 2024-08-02T09:51:51.230Z

NVD

Status : Modified

Published: 2023-01-18T01:15:13.263

Modified: 2024-11-21T07:43:47.803

Link: CVE-2023-21860

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-21860", "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "state": "PUBLISHED", "assignerShortName": "oracle", "dateReserved": "2022-12-17T19:26:00.695Z", "datePublished": "2023-01-18T00:15:07.824Z", "dateUpdated": "2024-09-16T19:31:57.963Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle", "dateUpdated": "2023-03-23T23:37:37.666Z"}, "problemTypes": [{"descriptions": [{"lang": "en-US", "description": "Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster."}]}], "affected": [{"vendor": "Oracle Corporation", "product": "MySQL Cluster", "versions": [{"version": "7.4.38 and prior", "status": "affected"}, {"version": "7.5.28 and prior", "status": "affected"}, {"version": "7.6.24 and prior", "status": "affected"}, {"version": "8.0.31 and prior", "status": "affected"}]}], "descriptions": [{"lang": "en-US", "value": "Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: Internal Operations). Supported versions that are affected are 7.4.38 and prior, 7.5.28 and prior, 7.6.24 and prior and 8.0.31 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H)."}], "references": [{"url": "https://www.oracle.com/security-alerts/cpujan2023.html", "name": "Oracle Advisory", "tags": ["vendor-advisory"]}], "metrics": [{"cvssV3_1": {"attackVector": "ADJACENT_NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H", "baseScore": 6.3, "baseSeverity": "MEDIUM"}}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T09:51:51.230Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.oracle.com/security-alerts/cpujan2023.html", "name": "Oracle Advisory", "tags": ["vendor-advisory", "x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-284", "lang": "en", "description": "CWE-284 Improper Access Control"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-16T19:31:21.543811Z", "id": "CVE-2023-21860", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-16T19:31:57.963Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.oracle.com/security-alerts/cpujan2023.html", "name": "Oracle Advisory", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T09:51:51.230Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-21860", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-09-16T19:31:21.543811Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-16T19:31:52.045Z"}}], "cna": {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Oracle Corporation", "product": "MySQL Cluster", "versions": [{"status": "affected", "version": "7.4.38 and prior"}, {"status": "affected", "version": "7.5.28 and prior"}, {"status": "affected", "version": "7.6.24 and prior"}, {"status": "affected", "version": "8.0.31 and prior"}]}], "references": [{"url": "https://www.oracle.com/security-alerts/cpujan2023.html", "name": "Oracle Advisory", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en-US", "value": "Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: Internal Operations). Supported versions that are affected are 7.4.38 and prior, 7.5.28 and prior, 7.6.24 and prior and 8.0.31 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H)."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "description": "Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster."}]}], "providerMetadata": {"orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle", "dateUpdated": "2023-03-23T23:37:37.666Z"}}}, "cveMetadata": {"cveId": "CVE-2023-21860", "state": "PUBLISHED", "dateUpdated": "2024-09-16T19:31:57.963Z", "dateReserved": "2022-12-17T19:26:00.695Z", "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "datePublished": "2023-01-18T00:15:07.824Z", "assignerShortName": "oracle"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*", "matchCriteriaId": "EAB50995-0099-47D2-A76D-29B64369FACE", "versionEndIncluding": "7.4.38", "versionStartIncluding": "7.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*", "matchCriteriaId": "42531C4C-FB22-45B8-8188-170AA15EB626", "versionEndIncluding": "7.5.28", "versionStartIncluding": "7.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*", "matchCriteriaId": "2BC02D0B-E37B-40FB-936D-F8071B4ABEE6", "versionEndIncluding": "7.6.24", "versionStartIncluding": "7.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*", "matchCriteriaId": "3B295719-BB7A-4A37-83C1-8F440E0D3E38", "versionEndIncluding": "8.0.31", "versionStartIncluding": "8.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: Internal Operations). Supported versions that are affected are 7.4.38 and prior, 7.5.28 and prior, 7.6.24 and prior and 8.0.31 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H)."}, {"lang": "es", "value": "Vulnerabilidad en el producto MySQL Cluster de Oracle MySQL (componente: Cluster: Operaciones Internas). Las versiones compatibles que se ven afectadas son 7.4.38 y anteriores, 7.5.28 y anteriores, 7.6.24 y anteriores y 8.0.31 y anteriores. Una vulnerabilidad dif\u00edcil de explotar permite que un atacante con altos privilegios tenga acceso al segmento de comunicaci\u00f3n f\u00edsica conectado al hardware donde se ejecuta MySQL Cluster para comprometer MySQL Cluster. Los ataques exitosos requieren la interacci\u00f3n humana de una persona distinta del atacante. Los ataques exitosos a esta vulnerabilidad pueden resultar en la toma de control de MySQL Cluster. CVSS 3.1 Puntuaci\u00f3n base 6.3 (impactos en la confidencialidad, la integridad y la disponibilidad). Vector CVSS: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H)."}], "id": "CVE-2023-21860", "lastModified": "2024-11-21T07:43:47.803", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.4, "impactScore": 5.9, "source": "secalert_us@oracle.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.4, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-01-18T01:15:13.263", "references": [{"source": "secalert_us@oracle.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2023.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2023.html"}], "sourceIdentifier": "secalert_us@oracle.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-284"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}