CVE-2023-21977 - OpenCVE

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Oracle	Mysql
Redhat	Enterprise Linux Rhel Software Collections

Configuration 1 [-]

cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 8
mysql:8.0-8090020240126173013.a75119d5	cpe:/a:redhat:enterprise_linux:8	RHSA-2024:0894	2024-02-20T00:00:00Z
Red Hat Enterprise Linux 9
mysql-0:8.0.36-1.el9_3	cpe:/a:redhat:enterprise_linux:9	RHSA-2024:1141	2024-03-05T00:00:00Z
Red Hat Software Collections for Red Hat Enterprise Linux 7
rh-mysql80-mysql-0:8.0.36-1.el7	cpe:/a:redhat:rhel_software_collections:3::el7	RHSA-2024:2619	2024-04-30T00:00:00Z

References

Link	Providers
https://nvd.nist.gov/vuln/detail/CVE-2023-21977
https://security.netapp.com/advisory/ntap-20230427-0007/
https://www.cve.org/CVERecord?id=CVE-2023-21977
https://www.oracle.com/security-alerts/cpuapr2023.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2023-04-18T19:54:36.958Z

Updated: 2024-09-16T15:05:39.216Z

Reserved: 2022-12-17T19:26:00.736Z

Link: CVE-2023-21977

Vulnrichment

Updated: 2024-08-02T09:59:28.597Z

NVD

Status : Modified

Published: 2023-04-18T20:15:17.010

Modified: 2023-04-27T15:15:12.337

Link: CVE-2023-21977

Redhat

Severity : Moderate

Publid Date: 2023-04-18T00:00:00Z

Links: CVE-2023-21977 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-21977", "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "state": "PUBLISHED", "assignerShortName": "oracle", "dateReserved": "2022-12-17T19:26:00.736Z", "datePublished": "2023-04-18T19:54:36.958Z", "dateUpdated": "2024-09-16T15:05:39.216Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle", "dateUpdated": "2023-04-18T19:54:36.958Z"}, "problemTypes": [{"descriptions": [{"lang": "en-US", "description": "Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server."}]}], "affected": [{"vendor": "Oracle Corporation", "product": "MySQL Server", "versions": [{"version": "8.0.32 and prior", "status": "affected"}]}], "descriptions": [{"lang": "en-US", "value": "Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)."}], "references": [{"url": "https://www.oracle.com/security-alerts/cpuapr2023.html", "name": "Oracle Advisory", "tags": ["vendor-advisory"]}, {"url": "https://security.netapp.com/advisory/ntap-20230427-0007/"}], "metrics": [{"cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "baseScore": 4.9, "baseSeverity": "MEDIUM"}}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T09:59:28.597Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.oracle.com/security-alerts/cpuapr2023.html", "name": "Oracle Advisory", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20230427-0007/", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-16T14:38:39.844317Z", "id": "CVE-2023-21977", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-16T15:05:39.216Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.oracle.com/security-alerts/cpuapr2023.html", "name": "Oracle Advisory", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20230427-0007/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T09:59:28.597Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-21977", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-16T14:38:39.844317Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-16T14:43:40.489Z"}}], "cna": {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "Oracle Corporation", "product": "MySQL Server", "versions": [{"status": "affected", "version": "8.0.32 and prior"}]}], "references": [{"url": "https://www.oracle.com/security-alerts/cpuapr2023.html", "name": "Oracle Advisory", "tags": ["vendor-advisory"]}, {"url": "https://security.netapp.com/advisory/ntap-20230427-0007/"}], "descriptions": [{"lang": "en-US", "value": "Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "description": "Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server."}]}], "providerMetadata": {"orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle", "dateUpdated": "2023-04-18T19:54:36.958Z"}}}, "cveMetadata": {"cveId": "CVE-2023-21977", "state": "PUBLISHED", "dateUpdated": "2024-09-16T15:05:39.216Z", "dateReserved": "2022-12-17T19:26:00.736Z", "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "datePublished": "2023-04-18T19:54:36.958Z", "assignerShortName": "oracle"}, "dataVersion": "5.1"}

{"affected_release": [{"advisory": "RHSA-2024:0894", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "mysql:8.0-8090020240126173013.a75119d5", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-02-20T00:00:00Z"}, {"advisory": "RHSA-2024:1141", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "mysql-0:8.0.36-1.el9_3", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-03-05T00:00:00Z"}, {"advisory": "RHSA-2024:2619", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-mysql80-mysql-0:8.0.36-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2024-04-30T00:00:00Z"}], "bugzilla": {"description": "mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2023)", "id": "2188130", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2188130"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "details": ["Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)."], "name": "CVE-2023-21977", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "mysql", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "mariadb", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "mariadb:10.3/mariadb", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "mariadb:10.5/mariadb", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "mariadb", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Not affected", "package_name": "mariadb", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-mariadb103-mariadb", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-mariadb105-mariadb", "product_name": "Red Hat Software Collections"}], "public_date": "2023-04-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-21977\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-21977"], "threat_severity": "Moderate", "upstream_fix": "mysql 8.0.33"}