Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.MYSQL_5_6_50.NASL
HistoryOct 22, 2020 - 12:00 a.m.

MySQL 5.6.x < 5.6.50 Multiple Vulnerabilities (Oct 2020 CPU)

2020-10-2200:00:00
This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
46
JSON

The version of MySQL running on the remote host is 5.6.x prior to 5.6.50. It is, therefore, affected by multiple vulnerabilities, including the following, as noted in the October 2020 Critical Patch Update advisory:

  • Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 5.6.49 and prior, 5.7.31 and prior and 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2020-14672)

  • Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: FTS). Supported versions that are affected are 5.6.49 and prior, 5.7.31 and prior and 8.0.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2020-14765)

  • Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.6.49 and prior, 5.7.31 and prior and 8.0.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2020-14769)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

##
# (C) Tenable Network Security, Inc.
##

include('compat.inc');

if (description)
{
  script_id(141796);
  script_version("1.8");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/05/11");

  script_cve_id(
    "CVE-2020-14672",
    "CVE-2020-14765",
    "CVE-2020-14769",
    "CVE-2020-14793",
    "CVE-2020-14812",
    "CVE-2020-14867"
  );
  script_xref(name:"IAVA", value:"2020-A-0473-S");

  script_name(english:"MySQL 5.6.x < 5.6.50 Multiple Vulnerabilities (Oct 2020 CPU)");

  script_set_attribute(attribute:"synopsis", value:
"The remote database server is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of MySQL running on the remote host is 5.6.x prior to 5.6.50. It is, therefore, affected by multiple
vulnerabilities, including the following, as noted in the October 2020 Critical Patch Update advisory:
  - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). 
  Supported versions that are affected are 5.6.49 and prior, 5.7.31 and prior and 8.0.21 and prior. 
  Easily exploitable vulnerability allows high privileged attacker with network access via multiple 
  protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in 
  unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. 
  (CVE-2020-14672)

  - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: FTS). Supported versions 
  that are affected are 5.6.49 and prior, 5.7.31 and prior and 8.0.21 and prior. Easily exploitable 
  vulnerability allows low privileged attacker with network access via multiple protocols to compromise 
  MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a 
  hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2020-14765)

  - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported 
  versions that are affected are 5.6.49 and prior, 5.7.31 and prior and 8.0.21 and prior. Easily 
  exploitable vulnerability allows low privileged attacker with network access via multiple protocols 
  to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized 
  ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2020-14769)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  # https://www.oracle.com/security-alerts/cpuoct2020.html#AppendixMSQL
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6a84ed85");
  script_set_attribute(attribute:"solution", value:
"Upgrade to MySQL version 5.6.50 or later.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-14867");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2020-14769");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/10/20");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/10/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/10/22");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:mysql");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Databases");

  script_copyright(english:"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("mysql_version.nasl", "mysql_login.nasl", "mysql_version_local.nasl", "mysql_win_installed.nbin", "macosx_mysql_installed.nbin");
  script_require_keys("installed_sw/MySQL Server");

  exit(0);
}

include('vcf_extras_mysql.inc');

var app_info = vcf::mysql::combined_get_app_info();

var constraints = [{ 'min_version' : '5.6.0', 'fixed_version' : '5.6.50'}];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
VendorProductVersionCPE
oraclemysqlcpe:/a:oracle:mysql

Related

amazon 1
nessus 42
osv 18
debian 1
photon 7
altlinux 2
fedora 12
mageia 1
cve 6
redhatcve 6
prion 6
ubuntucve 6
veracode 6
debiancve 6
cbl_mariner 5
suse 3
mariadbunix 2
alpinelinux 2
ibm 2
freebsd 1
ubuntu 1
oraclelinux 2
almalinux 2
redhat 7
rocky 2
gentoo 1
oracle 1
amazon
amazon
Medium: mysql56
2021-01-12 22:51:00
nessus
nessus
Amazon Linux AMI : mysql56 (ALAS-2021-1464)
2021-01-14 00:00:00
Amazon Linux AMI : mysql56 (ALAS-2020-1465) (deprecated)
2020-12-19 00:00:00
Photon OS 2.0: Mysql PHSA-2020-2.0-0294
2020-11-10 00:00:00
osv
osv
mariadb-10.1 - security update
2021-01-31 00:00:00
CVE-2020-14672
2020-10-21 15:15:15
CVE-2020-14793
2020-10-21 15:15:19
debian
debian
[SECURITY] [DLA 2538-1] mariadb-10.1 security update
2021-01-31 21:54:33
photon
photon
Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2020-2.0-0294
2020-11-06 00:00:00
Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2020-1.0-0338
2020-11-17 00:00:00
Critical Photon OS Security Update - PHSA-2020-0338
2020-11-17 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 8 package mariadb version 10.1.48-alt1
2020-12-14 00:00:00
Security fix for the ALT Linux 9 package mariadb version 10.4.17-alt1
2020-11-13 00:00:00
fedora
fedora
[SECURITY] Fedora 33 Update: community-mysql-8.0.22-1.fc33
2020-11-06 01:15:28
[SECURITY] Fedora 31 Update: community-mysql-8.0.22-1.fc31
2020-11-07 00:23:11
[SECURITY] Fedora 32 Update: community-mysql-8.0.22-1.fc32
2020-11-06 01:23:03
mageia
mageia
Updated mariadb packages fix security vulnerabilities
2020-11-08 17:14:27
cve
cve
CVE-2020-14672
2020-10-21 15:15:00
CVE-2020-14769
2020-10-21 15:15:00
CVE-2020-14793
2020-10-21 15:15:00
redhatcve
redhatcve
CVE-2020-14672
2020-10-22 20:34:13
CVE-2020-14769
2020-10-22 20:34:28
CVE-2020-14793
2020-10-22 20:34:37
prion
prion
Code injection
2020-10-21 15:15:00
Code injection
2020-10-21 15:15:00
Code injection
2020-10-21 15:15:00
ubuntucve
ubuntucve
CVE-2020-14769
2020-10-21 00:00:00
CVE-2020-14793
2020-10-21 00:00:00
CVE-2020-14672
2020-10-21 00:00:00
veracode
veracode
Denial Of Service (DoS)
2021-10-18 14:26:37
Denial Of Service (DoS)
2021-10-18 14:26:43
Denial Of Service (DoS)
2021-10-18 14:27:08
debiancve
debiancve
CVE-2020-14672
2020-10-21 15:15:00
CVE-2020-14769
2020-10-21 15:15:00
CVE-2020-14793
2020-10-21 15:15:00
cbl_mariner
cbl_mariner
CVE-2020-14793 affecting package mysql 8.0.21-1
2021-08-25 19:57:27
CVE-2020-14769 affecting package mysql 8.0.21-1
2021-08-25 19:57:27
CVE-2020-14867 affecting package mysql 8.0.21-1
2021-08-25 19:57:27
suse
suse
Security update for mariadb (important)
2020-12-15 00:00:00
Security update for mariadb (moderate)
2020-12-02 00:00:00
Security update for mariadb (moderate)
2020-11-28 00:00:00
mariadbunix
mariadbunix
CVE-2020-14812
2020-10-21 15:15:20
CVE-2020-14765
2020-10-21 15:15:17
alpinelinux
alpinelinux
CVE-2020-14765
2020-10-21 15:15:00
CVE-2020-14812
2020-10-21 15:15:00
ibm
ibm
Security Bulletin: IBM Security Guardium is affected by Oracle MySQL vulnerabilities
2021-06-22 18:08:38
Security Bulletin: IBM API Connect is impacted by multiple vulnerabilities in Oracle MySQL
2021-08-25 20:23:17
freebsd
freebsd
MySQL -- Multiple vulnerabilities
2020-10-20 00:00:00
ubuntu
ubuntu
MySQL vulnerabilities
2020-10-27 00:00:00
oraclelinux
oraclelinux
mariadb:10.3 security, bug fix, and enhancement update
2020-12-18 00:00:00
mysql:8.0 security, bug fix, and enhancement update
2021-09-23 00:00:00
almalinux
almalinux
Important: mariadb:10.3 security, bug fix, and enhancement update
2020-12-15 16:03:43
Moderate: mysql:8.0 security, bug fix, and enhancement update
2021-09-21 07:13:26
redhat
redhat
(RHSA-2020:5500) Important: mariadb:10.3 security, bug fix, and enhancement update
2020-12-15 16:03:43
(RHSA-2020:5665) Important: mariadb:10.3 security, bug fix, and enhancement update
2020-12-22 08:57:51
(RHSA-2020:5654) Important: mariadb:10.3 security, bug fix, and enhancement update
2020-12-22 08:27:07
rocky
rocky
mariadb:10.3 security, bug fix, and enhancement update
2020-12-15 16:03:43
mysql:8.0 security, bug fix, and enhancement update
2021-09-21 07:13:26
gentoo
gentoo
MySQL: Multiple vulnerabilities
2021-05-26 00:00:00
oracle
oracle
Oracle Critical Patch Update Advisory - October 2020
2020-10-20 00:00:00
JSON
Related for MYSQL_5_6_50.NASL
amazon1nessus42osv18debian1photon7altlinux2fedora12mageia1cve6redhatcve6prion6ubuntucve6veracode6debiancve6cbl_mariner5suse3mariadbunix2alpinelinux2ibm2freebsd1ubuntu1oraclelinux2almalinux2redhat7rocky2gentoo1oracle1