{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-22102", "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "state": "PUBLISHED", "assignerShortName": "oracle", "dateReserved": "2022-12-17T19:26:00.762Z", "datePublished": "2023-10-17T21:03:05.418Z", "dateUpdated": "2025-02-13T16:43:43.326Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle", "dateUpdated": "2023-10-27T14:06:16.222Z"}, "problemTypes": [{"descriptions": [{"lang": "en-US", "description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of MySQL Connectors."}]}], "affected": [{"vendor": "Oracle Corporation", "product": "MySQL Connectors", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "8.1.0", "versionType": "custom"}]}], "descriptions": [{"lang": "en-US", "value": "Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.1.0 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)."}], "references": [{"url": "https://www.oracle.com/security-alerts/cpuoct2023.html", "name": "Oracle Advisory", "tags": ["vendor-advisory"]}, {"url": "https://security.netapp.com/advisory/ntap-20231027-0007/"}], "metrics": [{"cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "baseScore": 8.3, "baseSeverity": "HIGH"}}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T09:59:29.044Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.oracle.com/security-alerts/cpuoct2023.html", "name": "Oracle Advisory", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20231027-0007/", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:mysql_connector\\/j:*:*:*:*:*:*:*:*", "matchCriteriaId": "00875B90-479F-4991-B4A2-F59D701F5018", "versionEndIncluding": "8.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*", "matchCriteriaId": "F1BE6C1F-2565-4E97-92AA-16563E5660A5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.1.0 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)."}, {"lang": "es", "value": "Vulnerabilidad en el producto MySQL Connectors de Oracle MySQL (componente: Connector/J). Las versiones compatibles que se ven afectadas son la 8.1.0 y anteriores. Una vulnerabilidad dif\u00edcil de explotar permite que un atacante no autenticado con acceso a la red a trav\u00e9s de m\u00faltiples protocolos comprometa los conectores MySQL. Los ataques exitosos requieren la interacci\u00f3n humana de una persona distinta del atacante y, si bien la vulnerabilidad est\u00e1 en los conectores MySQL, los ataques pueden afectar significativamente a productos adicionales (cambio de alcance). Los ataques exitosos a esta vulnerabilidad pueden resultar en la adquisici\u00f3n de MySQL Connectors. CVSS 3.1 Puntuaci\u00f3n base 8.3 (impactos en la confidencialidad, la integridad y la disponibilidad). Vector CVSS: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)."}], "id": "CVE-2023-22102", "lastModified": "2024-11-21T07:44:16.763", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 6.0, "source": "secalert_us@oracle.com", "type": "Secondary"}]}, "published": "2023-10-17T22:15:15.100", "references": [{"source": "secalert_us@oracle.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20231027-0007/"}, {"source": "secalert_us@oracle.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.oracle.com/security-alerts/cpuoct2023.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20231027-0007/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.oracle.com/security-alerts/cpuoct2023.html"}], "sourceIdentifier": "secalert_us@oracle.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "mysql-connector-java: Connector/J unspecified vulnerability (CPU October 2023)", "id": "2256474", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2256474"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "status": "draft"}, "details": ["Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.1.0 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).", "A vulnerability was found in the MySQL Connectors product of Oracle MySQL (component: Connector/J). This issue may allow unauthenticated attackers with network access via multiple protocols to compromise MySQL Connectors. Successful attacks can result in a takeover of MySQL Connectors."], "name": "CVE-2023-22102", "package_state": [{"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Not affected", "package_name": "mysql-connector-java", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:camel_quarkus:3", "fix_state": "Not affected", "package_name": "mysql-connector-java", "product_name": "Red Hat build of Apache Camel for Quarkus"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Not affected", "package_name": "mysql-connector-java", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:quarkus:2", "fix_state": "Will not fix", "package_name": "mysql/mysql-connector-java", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "mysql-connector-java", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Will not fix", "package_name": "mysql-connector-java", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "mysql-connector-java", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "mysql-connector-java", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Out of support scope", "package_name": "mysql-connector-java", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Will not fix", "package_name": "mysql-connector-java", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Affected", "package_name": "mysql-connector-java", "product_name": "Red Hat Integration Change Data Capture"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Not affected", "package_name": "mysql-connector-java", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Not affected", "package_name": "mysql-connector-java", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Not affected", "package_name": "org.keycloak-keycloak-parent", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "mysql-connector-java", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "mysql-connector-java", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "mysql-connector-java", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Out of support scope", "package_name": "mysql-connector-java", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Not affected", "package_name": "mysql-connector-java", "product_name": "Red Hat Single Sign-On 7"}], "public_date": "2023-10-17T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-22102\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-22102\nhttps://www.oracle.com/security-alerts/cpuoct2023.html#AppendixMSQL"], "statement": "This flaw has been rated as having a security impact of Moderate because it is difficult to exploit and requires user interaction.\nThe package mariadb Java client is available in Red Hat Software Collections. It can be installed this way:\n# yum-config-manager --enable rhel-server-rhscl-7-rpms\n# yum install rh-mariadb105-mariadb-java-client\nThis JDBC driver works fine with both MariaDB and MySQL servers. We recommend use of mariadb-java-client over mysql-java-connector where possible.", "threat_severity": "Moderate"}