Arch Linux Security Advisory ASA-201902-21

Severity: High
Date : 2019-02-17
CVE-ID : CVE-2019-2435
Package : python-mysql-connector
Type : authentication bypass
Remote : Yes
Link : https://security.archlinux.org/AVG-898

Summary

The package python-mysql-connector before version 8.0.15-1 is
vulnerable to authentication bypass.

Resolution

Upgrade to 8.0.15-1.

pacman -Syu “python-mysql-connector>=8.0.15-1”

The problem has been fixed upstream in version 8.0.15.

Workaround

None.

Description

A flaw was found in mysql-connector prior to version 8.0.13.
Unauthenticated attacker with network access via TLS could compromise
MySQL Connectors. Successful attacks require human interaction from a
person other than the attacker and can result in unauthorized creation,
deletion or modification access to critical data.

Impact

An unauthenticated attacker could serve malicious TLS traffic and
bypass authentication.

References

https://bugs.archlinux.org/task/61758
https://github.com/mysql/mysql-connector-python/commit/069bc6737dd13b7f3a41d7fc23b789b659d8e205
https://security.netapp.com/advisory/ntap-20190118-0002/
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
https://security.archlinux.org/CVE-2019-2435