CVE-2022-45347

2022-12-2211:15:09

CWE-459

apache

web.nvd.nist.gov

cve-2022-45347

apache

shardingsphere

proxy

mysql

database

security

vulnerability

nvd

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.6

Confidence

High

EPSS

0.03

Percentile

91.0%

JSON

Apache ShardingSphere-Proxy prior to 5.3.0 when using MySQL as database backend didn’t cleanup the database session completely after client authentication failed, which allowed an attacker to execute normal commands by constructing a special MySQL client. This vulnerability has been fixed in Apache ShardingSphere 5.3.0.

Affected configurations

Nvd

Vulners

Node

apacheshardingsphereRange<5.3.0

VendorProductVersionCPE
apacheshardingsphere*cpe:2.3:a:apache:shardingsphere:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	shardingsphere	*	cpe:2.3:a:apache:shardingsphere::::::::

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache ShardingSphere-Proxy",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "5.3.0",
        "status": "affected",
        "version": "0",
        "versionType": "maven"
      }
    ]
  }
]