Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.MYSQL_8_4_0.NASL
HistoryApr 19, 2024 - 12:00 a.m.

Oracle MySQL Server 8.x < 8.4.0 (April 2024 CPU)

2024-04-1900:00:00
This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
30
oracle mysql
server
vulnerabilities
packaging
dml
information schema
network access
dos
unauthorized access
tls
april 2024 cpu

5.8 Medium

AI Score

Confidence

High

JSON

The versions of MySQL Server installed on the remote host are affected by multiple vulnerabilities as referenced in the April 2024 CPU advisory.

  • Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Packaging (OpenSSL)).
    Supported versions that are affected are 8.0.36 and prior and 8.3.0 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. (CVE-2023-6129)

  • Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.34 and prior and 8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. (CVE-2024-21015)

  • Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported versions that are affected are 8.0.36 and prior and 8.3.0 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2024-20994)

Note that Nessus has not tested for these issues but has instead relied only on the applicationโ€™s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(193567);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/04/22");

  script_cve_id(
    "CVE-2023-6129",
    "CVE-2024-20994",
    "CVE-2024-20998",
    "CVE-2024-21000",
    "CVE-2024-21008",
    "CVE-2024-21009",
    "CVE-2024-21013",
    "CVE-2024-21015",
    "CVE-2024-21047",
    "CVE-2024-21054",
    "CVE-2024-21060",
    "CVE-2024-21062",
    "CVE-2024-21069",
    "CVE-2024-21087",
    "CVE-2024-21096",
    "CVE-2024-21102"
  );

  script_name(english:"Oracle MySQL Server 8.x < 8.4.0 (April 2024 CPU)");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by multiple vulnerabilities");
  script_set_attribute(attribute:"description", value:
"The versions of MySQL Server installed on the remote host are affected by multiple vulnerabilities as referenced in the
April 2024 CPU advisory.

  - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Packaging (OpenSSL)).
    Supported versions that are affected are 8.0.36 and prior and 8.3.0 and prior. Difficult to exploit vulnerability
    allows unauthenticated attacker with network access via TLS to compromise MySQL Server. Successful attacks of this
    vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete
    DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible
    data. (CVE-2023-6129)

  - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that
    are affected are 8.0.34 and prior and 8.3.0 and prior. Easily exploitable vulnerability allows high privileged
    attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this
    vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS)
    of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible
    data. (CVE-2024-21015)

  - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported
    versions that are affected are 8.0.36 and prior and 8.3.0 and prior. Difficult to exploit vulnerability
    allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful
    attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash
    (complete DOS) of MySQL Server. (CVE-2024-20994)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpuapr2024.html");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/docs/tech/security-alerts/cpuapr2024csaf.json");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the April 2024 Oracle Critical Patch Update advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:M/C:N/I:P/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-21015");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2023-6129");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/04/16");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/04/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/04/19");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:mysql");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Databases");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("mysql_version.nasl", "mysql_login.nasl");
  script_require_ports("Services/mysql", 3306);

  exit(0);
}

include('mysql_version.inc');

mysql_check_version(fixed:'8.4.0', min:'8.1', severity:SECURITY_WARNING);
VendorProductVersionCPE
oraclemysqlcpe:/a:oracle:mysql

References

Related

nessus 18
openvas 16
f5 9
ubuntucve 16
cve 16
cvelist 16
debiancve 16
cnvd 4
redhatcve 16
osv 4
alpinelinux 2
slackware 1
cbl_mariner 1
openssl 1
prion 1
freebsd 1
veracode 1
ibm 8
aix 1
cloudfoundry 1
mageia 2
ubuntu 1
almalinux 1
oraclelinux 1
redhat 2
oracle 1
nessus
nessus
Oracle MySQL Server 8.0.x < 8.0.37 (April 2024 CPU)
2024-04-19 00:00:00
Oracle MySQL Enterprise Monitor (Apr 2024 CPU)
2024-04-18 00:00:00
FreeBSD : OpenSSL -- Vector register corruption on PowerPC (8337251b-b07b-11ee-b0d7-84a93843eb75)
2024-01-11 00:00:00
openvas
openvas
Oracle MySQL Server 8.x <= 8.0.36, 8.1.x <= 8.3.0 Security Update (cpuapr2024) - Linux
2024-04-18 00:00:00
Oracle MySQL Server 8.x <= 8.0.36, 8.1.x <= 8.3.0 Security Update (cpuapr2024) - Windows
2024-04-18 00:00:00
Slackware: Security Advisory (SSA:2024-141-01)
2024-05-21 00:00:00
f5
f5
K000139618: MySQL vulnerabilities CVE-2024-21054, CVE-2024-21009, CVE-2024-20993, and CVE-2024-21102
2024-05-15 00:00:00
K000139607: MySQL Server vulnerabilities CVE-2024-21013 and CVE-2024-21062
2024-05-14 00:00:00
K000139668: MySQL Server vulnerabilities CVE-2024-21000 and CVE-2024-21008
2024-05-17 00:00:00
ubuntucve
ubuntucve
CVE-2024-21000
2024-04-16 00:00:00
CVE-2024-21069
2024-04-16 00:00:00
CVE-2024-20998
2024-04-16 00:00:00
cve
cve
CVE-2024-21069
2024-04-16 22:15:25
CVE-2024-21054
2024-04-16 22:15:22
CVE-2024-20998
2024-04-16 22:15:13
cvelist
cvelist
CVE-2024-21015
2024-04-16 21:26:03
CVE-2024-20994
2024-04-16 21:25:56
CVE-2024-21013
2024-04-16 21:26:02
debiancve
debiancve
CVE-2024-21000
2024-04-16 22:15:13
CVE-2024-20994
2024-04-16 22:15:12
CVE-2024-20998
2024-04-16 22:15:13
cnvd
cnvd
Oracle MySQL Denial of Service Vulnerability (CNVD-2024-19018)
2024-04-18 00:00:00
Unspecified Vulnerability in Oracle MySQL (CNVD-2024-20436)
2024-04-18 00:00:00
Oracle MySQL Denial of Service Vulnerability (CNVD-2024-19009)
2024-04-18 00:00:00
redhatcve
redhatcve
CVE-2024-20994
2024-04-23 09:05:26
CVE-2024-21054
2024-04-23 09:05:49
CVE-2024-20998
2024-04-23 09:05:31
osv
osv
CVE-2024-21096
2024-04-16 22:15:30
CVE-2023-6129
2024-01-09 17:15:12
openssl vulnerabilities
2024-02-05 12:18:56
alpinelinux
alpinelinux
CVE-2024-21096
2024-04-16 22:15:30
CVE-2023-6129
2024-01-09 17:15:12
slackware
slackware
[slackware-security] mariadb
2024-05-20 18:48:17
cbl_mariner
cbl_mariner
CVE-2023-6129 affecting package openssl for versions less than 3.3.0-1
2024-05-17 21:38:35
openssl
openssl
Vulnerability in OpenSSL CVE-2023-6129
2024-01-09 00:00:00
prion
prion
Design/Logic Flaw
2024-01-09 17:15:00
freebsd
freebsd
OpenSSL -- Vector register corruption on PowerPC
2024-01-09 00:00:00
veracode
veracode
Out-of-bounds Write
2024-01-30 19:15:17
ibm
ibm
Security Bulletin: IBM Virtualization Engine TS7700 is susceptible to a denial of service due to the use of OpenSSL (CVE-2023-6129)
2024-04-30 21:48:42
Security Bulletin: IBM App Connect Enterprise is vulnerable to a denial of service due to OpenSSL [CVE-2023-5678, CVE-2023-6129]
2024-03-15 13:36:51
Security Bulletin: AIX is vulnerable to a denial of service (CVE-2023-5678, CVE-2023-6129, CVE-2023-6237) and an attacker may obtain sensitive information (CVE-2023-5363) due to OpenSSL
2024-01-25 21:15:41
aix
aix
AIX is vulnerable to a denial of service (CVE-2023-5678 CVE-2023-6129 CVE-2023-6237) and an attacker may obtain sensitive information (CVE-2023-5363) due to OpenSSL
2024-01-25 14:11:09
cloudfoundry
cloudfoundry
USN-6622-1: OpenSSL vulnerabilities | Cloud Foundry
2024-02-29 00:00:00
mageia
mageia
Updated quictls packages fix security vulnerabilities
2024-02-15 02:02:34
Updated openssl packages fix security vulnerabilities
2024-02-04 05:49:27
ubuntu
ubuntu
OpenSSL vulnerabilities
2024-02-05 00:00:00
almalinux
almalinux
Low: openssl and openssl-fips-provider security update
2024-04-30 00:00:00
oraclelinux
oraclelinux
openssl and openssl-fips-provider security update
2024-05-03 00:00:00
redhat
redhat
(RHSA-2024:2447) Low: openssl and openssl-fips-provider security update
2024-04-30 06:15:44
(RHSA-2024:2619) Moderate: rh-mysql80-mysql security update
2024-04-30 16:31:20
oracle
oracle
Oracle Critical Patch Update Advisory - April 2024
2024-04-16 00:00:00

5.8 Medium

AI Score

Confidence

High

JSON
Related for MYSQL_8_4_0.NASL
nessus18openvas16f59ubuntucve16cve16cvelist16debiancve16cnvd4redhatcve16osv4alpinelinux2slackware1cbl_mariner1openssl1prion1freebsd1veracode1ibm8aix1cloudfoundry1mageia2ubuntu1almalinux1oraclelinux1redhat2oracle1