ISHACK AI BOT

Oracle Linux: CVE-2023-22064: ELSA-2024-1141:mysql security update (MODERATE) (Multiple Advisories) Severity 6 CVSS (AV:N/AC:L/Au:M/C:N/I:N/A:C) Published 10/17/2023 Created 02/24/2024 Added 02/22/2024 Modified 01/07/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).Supported versions that are affected are 8.0.34 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Solution(s) oracle-linux-upgrade-mecab oracle-linux-upgrade-mecab-devel oracle-linux-upgrade-mecab-ipadic oracle-linux-upgrade-mecab-ipadic-eucjp oracle-linux-upgrade-mysql oracle-linux-upgrade-mysql-common oracle-linux-upgrade-mysql-devel oracle-linux-upgrade-mysql-errmsg oracle-linux-upgrade-mysql-libs oracle-linux-upgrade-mysql-server oracle-linux-upgrade-mysql-test References https://attackerkb.com/topics/cve-2023-22064 CVE - 2023-22064 ELSA-2024-1141 ELSA-2024-0894

VMware Photon OS: CVE-2023-22068 Severity 6 CVSS (AV:N/AC:L/Au:M/C:N/I:N/A:C) Published 10/17/2023 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).Supported versions that are affected are 8.0.34 and prior and8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2023-22068 CVE - 2023-22068

VMware Photon OS: CVE-2023-22112 Severity 6 CVSS (AV:N/AC:L/Au:M/C:N/I:N/A:C) Published 10/17/2023 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).Supported versions that are affected are 8.0.34 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2023-22112 CVE - 2023-22112

VMware Photon OS: CVE-2023-22097 Severity 6 CVSS (AV:N/AC:L/Au:M/C:N/I:N/A:C) Published 10/17/2023 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).Supported versions that are affected are 8.0.34 and prior and8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2023-22097 CVE - 2023-22097

VMware Photon OS: CVE-2023-22103 Severity 6 CVSS (AV:N/AC:L/Au:M/C:N/I:N/A:C) Published 10/17/2023 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).Supported versions that are affected are 8.0.34 and prior and8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2023-22103 CVE - 2023-22103

VMware Photon OS: CVE-2023-22092 Severity 6 CVSS (AV:N/AC:L/Au:M/C:N/I:N/A:C) Published 10/17/2023 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).Supported versions that are affected are 8.0.34 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2023-22092 CVE - 2023-22092

FreeBSD: VID-22DF5074-71CD-11EE-85EB-84A93843EB75 (CVE-2023-22094): MySQL -- Multiple vulnerabilities Severity 6 CVSS (AV:L/AC:M/Au:S/C:N/I:C/A:C) Published 10/17/2023 Created 10/26/2023 Added 10/24/2023 Modified 01/28/2025 Description Vulnerability in the MySQL Installer product of Oracle MySQL (component: Installer: General).Supported versions that are affected are Prior to 1.6.8. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Installer executes to compromise MySQL Installer.Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Installer, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result inunauthorized creation, deletion or modification access to critical data or all MySQL Installer accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Installer. Note: This patch is used in MySQL Server bundled version 8.0.35 and 5.7.44. CVSS 3.1 Base Score 7.9 (Integrity and Availability impacts).CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H). Solution(s) freebsd-upgrade-package-mysql-connector-c freebsd-upgrade-package-mysql-connector-j freebsd-upgrade-package-mysql-connector-odbc freebsd-upgrade-package-mysql57-server freebsd-upgrade-package-mysql80-server References CVE-2023-22094

Huawei EulerOS: CVE-2023-45803: python-urllib3 security update Severity 5 CVSS (AV:A/AC:M/Au:M/C:C/I:N/A:N) Published 10/17/2023 Created 02/13/2024 Added 02/12/2024 Modified 01/30/2025 Description urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with `redirects=False` and disable automatic redirects with `redirects=False` and handle 301, 302, and 303 redirects manually by stripping the HTTP request body. Solution(s) huawei-euleros-2_0_sp9-upgrade-python3-urllib3 References https://attackerkb.com/topics/cve-2023-45803 CVE - 2023-45803 EulerOS-SA-2024-1205

Gentoo Linux: CVE-2023-22098: Oracle VirtualBox: Multiple Vulnerabilities Severity 7 CVSS (AV:L/AC:L/Au:M/C:C/I:C/A:C) Published 10/17/2023 Created 09/24/2024 Added 09/23/2024 Modified 01/28/2025 Description Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core).Supported versions that are affected are Prior to 7.0.12. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox.While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change).Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. Note: Only applicable to 7.0.x platform. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts).CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). Solution(s) gentoo-linux-upgrade-app-emulation-virtualbox References https://attackerkb.com/topics/cve-2023-22098 CVE - 2023-22098 202409-11

Huawei EulerOS: CVE-2023-45803: python-urllib3 security update Severity 5 CVSS (AV:A/AC:M/Au:M/C:C/I:N/A:N) Published 10/17/2023 Created 01/11/2024 Added 01/10/2024 Modified 01/30/2025 Description urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with `redirects=False` and disable automatic redirects with `redirects=False` and handle 301, 302, and 303 redirects manually by stripping the HTTP request body. Solution(s) huawei-euleros-2_0_sp10-upgrade-python3-urllib3 References https://attackerkb.com/topics/cve-2023-45803 CVE - 2023-45803 EulerOS-SA-2024-1096

AdoptOpenJDK: CVE-2023-22067: Vulnerability with CORBA component Severity 5 CVSS (AV:N/AC:L/Au:N/C:N/I:P/A:N) Published 10/17/2023 Created 11/10/2023 Added 11/09/2023 Modified 01/28/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: CORBA).Supported versions that are affected are Oracle Java SE: 8u381, 8u381-perf; Oracle GraalVM Enterprise Edition: 20.3.11 and21.3.7. Easily exploitable vulnerability allows unauthenticated attacker with network access via CORBA to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.3 (Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). Solution(s) adoptopenjdk-upgrade-latest References https://attackerkb.com/topics/cve-2023-22067 CVE - 2023-22067 https://adoptopenjdk.net/releases

AdoptOpenJDK: CVE-2023-22025: Vulnerability with Hotspot component Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 10/17/2023 Created 11/10/2023 Added 11/09/2023 Modified 01/28/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, product of Oracle Java SE (component: Hotspot).Supported versions that are affected are Oracle Java SE: 8u381-perf, 17.0.8, 21; Oracle GraalVM for JDK: 17.0.8, 21; Oracle GraalVM Enterprise Edition: 21.3.7 and22.3.3. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition,.Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). Solution(s) adoptopenjdk-upgrade-latest References https://attackerkb.com/topics/cve-2023-22025 CVE - 2023-22025 https://adoptopenjdk.net/releases

FreeBSD: (Multiple Advisories) (CVE-2023-38545): MySQL -- Multiple vulnerabilities Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 10/17/2023 Created 10/26/2023 Added 10/24/2023 Modified 01/28/2025 Description This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that host name can be is 255 bytes. If the host name is detected to be longer, curl switches to local name resolving and instead passes on the resolved address only. Due to this bug, the local variable that means "let the host resolve the name" could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long host name to the target buffer instead of copying just the resolved address there. The target buffer being a heap based buffer, and the host name coming from the URL that curl has been told to operate with. Solution(s) freebsd-upgrade-package-cmake-core freebsd-upgrade-package-curl freebsd-upgrade-package-mysql-connector-c freebsd-upgrade-package-mysql-connector-j freebsd-upgrade-package-mysql-connector-odbc freebsd-upgrade-package-mysql57-server freebsd-upgrade-package-mysql80-server References CVE-2023-38545

Oracle Database: Critical Patch Update - October 2023 (CVE-2022-44729) Severity 6 CVSS (AV:L/AC:M/Au:N/C:C/I:N/A:C) Published 10/17/2023 Created 10/20/2023 Added 10/18/2023 Modified 01/28/2025 Description Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16. On version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or later. Solution(s) oracle-apply-oct-2023-cpu References https://attackerkb.com/topics/cve-2022-44729 CVE - 2022-44729 http://www.oracle.com/security-alerts/cpuoct2023.html https://support.oracle.com/rs?type=doc&id=2966413.1

Oracle Database: Critical Patch Update - October 2023 (CVE-2022-23491) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:C/A:N) Published 10/17/2023 Created 10/20/2023 Added 10/18/2023 Modified 01/30/2025 Description Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion. Solution(s) oracle-apply-oct-2023-cpu References https://attackerkb.com/topics/cve-2022-23491 CVE - 2022-23491 http://www.oracle.com/security-alerts/cpuoct2023.html https://support.oracle.com/rs?type=doc&id=2966413.1

Amazon Linux 2023: CVE-2023-22067: Medium priority package update for java-1.8.0-amazon-corretto (Multiple Advisories) Severity 5 CVSS (AV:N/AC:L/Au:N/C:N/I:P/A:N) Published 10/17/2023 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: CORBA).Supported versions that are affected are Oracle Java SE: 8u381, 8u381-perf; Oracle GraalVM Enterprise Edition: 20.3.11 and21.3.7. Easily exploitable vulnerability allows unauthenticated attacker with network access via CORBA to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.3 (Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). Solution(s) amazon-linux-2023-upgrade-java-1-8-0-amazon-corretto amazon-linux-2023-upgrade-java-1-8-0-amazon-corretto-devel References https://attackerkb.com/topics/cve-2023-22067 CVE - 2023-22067 https://alas.aws.amazon.com/AL2023/ALAS-2023-398.html https://alas.aws.amazon.com/AL2023/ALAS-2023-426.html

Oracle Database: Critical Patch Update - October 2023 (CVE-2023-22071) Severity 5 CVSS (AV:N/AC:M/Au:M/C:P/I:P/A:P) Published 10/17/2023 Created 10/20/2023 Added 10/18/2023 Modified 01/28/2025 Description Vulnerability in the PL/SQL component of Oracle Database Server.Supported versions that are affected are 19.3-19.20 and21.3-21.11. Easily exploitable vulnerability allows high privileged attacker having Create Session, Execute on sys.utl_http privilege with network access via Oracle Net to compromise PL/SQL.Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PL/SQL, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of PL/SQL accessible data as well asunauthorized read access to a subset of PL/SQL accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of PL/SQL. CVSS 3.1 Base Score 5.9 (Confidentiality, Integrity and Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L). Solution(s) oracle-apply-oct-2023-cpu References https://attackerkb.com/topics/cve-2023-22071 CVE - 2023-22071 http://www.oracle.com/security-alerts/cpuoct2023.html https://support.oracle.com/rs?type=doc&id=2966413.1

Oracle Database: Critical Patch Update - October 2023 (CVE-2023-22073) Severity 3 CVSS (AV:A/AC:L/Au:N/C:P/I:N/A:N) Published 10/17/2023 Created 10/20/2023 Added 10/18/2023 Modified 01/28/2025 Description Vulnerability in the Oracle Notification Server component of Oracle Database Server.Supported versions that are affected are 19.3-19.20 and21.3-21.11. Easily exploitable vulnerability allows unauthenticated attacker with access to the physical communication segment attached to the hardware where the Oracle Notification Server executes to compromise Oracle Notification Server.Successful attacks of this vulnerability can result inunauthorized read access to a subset of Oracle Notification Server accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts).CVSS Vector: (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). Solution(s) oracle-apply-oct-2023-cpu References https://attackerkb.com/topics/cve-2023-22073 CVE - 2023-22073 http://www.oracle.com/security-alerts/cpuoct2023.html https://support.oracle.com/rs?type=doc&id=2966413.1

Oracle Database: Critical Patch Update - October 2023 (CVE-2023-22074) Severity 3 CVSS (AV:N/AC:M/Au:M/C:N/I:N/A:P) Published 10/17/2023 Created 10/20/2023 Added 10/18/2023 Modified 01/28/2025 Description Vulnerability in the Oracle Database Sharding component of Oracle Database Server.Supported versions that are affected are 19.3-19.20 and21.3-21.11. Easily exploitable vulnerability allows high privileged attacker having Create Session, Select Any Dictionary privilege with network access via Oracle Net to compromise Oracle Database Sharding.Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Database Sharding. CVSS 3.1 Base Score 2.4 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:L). Solution(s) oracle-apply-oct-2023-cpu References https://attackerkb.com/topics/cve-2023-22074 CVE - 2023-22074 http://www.oracle.com/security-alerts/cpuoct2023.html https://support.oracle.com/rs?type=doc&id=2966413.1

Oracle Database: Critical Patch Update - October 2023 (CVE-2023-38039) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 10/17/2023 Created 10/20/2023 Added 10/18/2023 Modified 01/28/2025 Description When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API. However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stream an endless series of headers and eventually cause curl to run out of heap memory. Solution(s) oracle-apply-oct-2023-cpu References https://attackerkb.com/topics/cve-2023-38039 CVE - 2023-38039 http://www.oracle.com/security-alerts/cpuoct2023.html https://support.oracle.com/rs?type=doc&id=2966413.1

Ubuntu: USN-6288-2 (CVE-2023-22015): MySQL vulnerability Severity 6 CVSS (AV:N/AC:L/Au:M/C:N/I:N/A:C) Published 10/17/2023 Created 01/23/2024 Added 01/22/2024 Modified 01/28/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).Supported versions that are affected are 5.7.42 and prior and8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Solution(s) ubuntu-pro-upgrade-mysql-server-5-7 References https://attackerkb.com/topics/cve-2023-22015 CVE - 2023-22015 USN-6288-2

Alpine Linux: CVE-2023-22025: Vulnerability in Multiple Components Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 10/17/2023 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, product of Oracle Java SE (component: Hotspot).Supported versions that are affected are Oracle Java SE: 8u381-perf, 17.0.8, 21; Oracle GraalVM for JDK: 17.0.8, 21; Oracle GraalVM Enterprise Edition: 21.3.7 and22.3.3. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition,.Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). Solution(s) alpine-linux-upgrade-openjdk17 alpine-linux-upgrade-openjdk21 References https://attackerkb.com/topics/cve-2023-22025 CVE - 2023-22025 https://security.alpinelinux.org/vuln/CVE-2023-22025

IBM AIX: python_advisory11 (CVE-2023-45803): Vulnerability in python affects AIX Severity 5 CVSS (AV:A/AC:M/Au:M/C:C/I:N/A:N) Published 10/17/2023 Created 08/14/2024 Added 08/13/2024 Modified 01/30/2025 Description urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with `redirects=False` and disable automatic redirects with `redirects=False` and handle 301, 302, and 303 redirects manually by stripping the HTTP request body. Solution(s) ibm-aix-python_advisory11 References https://attackerkb.com/topics/cve-2023-45803 CVE - 2023-45803 https://aix.software.ibm.com/aix/efixes/security/python_advisory11.asc

FreeBSD: VID-22DF5074-71CD-11EE-85EB-84A93843EB75 (CVE-2023-22115): MySQL -- Multiple vulnerabilities Severity 6 CVSS (AV:N/AC:L/Au:M/C:N/I:N/A:C) Published 10/17/2023 Created 10/26/2023 Added 10/24/2023 Modified 01/28/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML).Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Solution(s) freebsd-upgrade-package-mysql-connector-c freebsd-upgrade-package-mysql-connector-j freebsd-upgrade-package-mysql-connector-odbc freebsd-upgrade-package-mysql57-server freebsd-upgrade-package-mysql80-server References CVE-2023-22115

FreeBSD: VID-22DF5074-71CD-11EE-85EB-84A93843EB75 (CVE-2023-22097): MySQL -- Multiple vulnerabilities Severity 6 CVSS (AV:N/AC:L/Au:M/C:N/I:N/A:C) Published 10/17/2023 Created 10/26/2023 Added 10/24/2023 Modified 01/28/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).Supported versions that are affected are 8.0.34 and prior and8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Solution(s) freebsd-upgrade-package-mysql-connector-c freebsd-upgrade-package-mysql-connector-j freebsd-upgrade-package-mysql-connector-odbc freebsd-upgrade-package-mysql57-server freebsd-upgrade-package-mysql80-server References CVE-2023-22097