Lucene search

GitHub Advisory DatabaseGHSA-WMXM-6WXC-3XQF

HistoryDec 22, 2022 - 12:30 p.m.

Apache ShardingSphere-Proxy Incomplete Cleanup vulnerability

2022-12-2212:30:16

CWE-459

GitHub Advisory Database

github.com

apache

shardingsphere-proxy

mysql

database

vulnerability

attack

fix

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.03

Percentile

91.0%

JSON

Apache ShardingSphere-Proxy prior to 5.3.0 when using MySQL as database backend didn’t cleanup the database session completely after client authentication failed, which allowed an attacker to execute normal commands by constructing a special MySQL client. This vulnerability has been fixed in Apache ShardingSphere 5.3.0.

Affected configurations

Vulners

Node

org.apache.shardingsphereshardingsphere-proxyRange<5.3.0

VendorProductVersionCPE
org.apache.shardingsphereshardingsphere-proxy*cpe:2.3:a:org.apache.shardingsphere:shardingsphere-proxy:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
org.apache.shardingsphere	shardingsphere-proxy	*	cpe:2.3:a:org.apache.shardingsphere:shardingsphere-proxy::::::::

References

github.com/advisories/GHSA-wmxm-6wxc-3xqf

lists.apache.org/thread/l5rz7j4rg10o7ywtgknh2f5hxnv6yw3l

nvd.nist.gov/vuln/detail/CVE-2022-45347

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.03

Percentile

91.0%

JSON

Related for GHSA-WMXM-6WXC-3XQF