ISHACK AI BOT

Gentoo Linux: CVE-2023-28856: Redis: Multiple Vulnerabilities Severity 7 CVSS (AV:N/AC:L/Au:S/C:N/I:N/A:C) Published 04/18/2023 Created 08/08/2024 Added 08/08/2024 Modified 01/28/2025 Description Redis is an open source, in-memory database that persists on disk. Authenticated users can use the `HINCRBYFLOAT` command to create an invalid hash field that will crash Redis on access in affected versions. This issue has been addressed in in versions 7.0.11, 6.2.12, and 6.0.19. Users are advised to upgrade. There are no known workarounds for this issue. Solution(s) gentoo-linux-upgrade-dev-db-redis References https://attackerkb.com/topics/cve-2023-28856 CVE - 2023-28856 202408-05

Microsoft Edge Chromium: CVE-2023-2133 Out of bounds memory access in Service Worker API Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 04/19/2023 Created 05/05/2023 Added 04/24/2023 Modified 01/28/2025 Description Out of bounds memory access in Service Worker API in Google Chrome prior to 112.0.5615.137 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) microsoft-edge-upgrade-latest References https://attackerkb.com/topics/cve-2023-2133 CVE - 2023-2133 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-2133

Microsoft Edge Chromium: CVE-2023-2137 Heap buffer overflow in sqlite Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 04/19/2023 Created 05/05/2023 Added 04/24/2023 Modified 01/28/2025 Description Heap buffer overflow in sqlite in Google Chrome prior to 112.0.5615.137 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) Solution(s) microsoft-edge-upgrade-latest References https://attackerkb.com/topics/cve-2023-2137 CVE - 2023-2137 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-2137

Red Hat: CVE-2023-2162: Kernel: UAF during login when accessing the shost ipaddress (Multiple Advisories) Severity 6 CVSS (AV:L/AC:L/Au:S/C:P/I:P/A:C) Published 04/19/2023 Created 01/12/2024 Added 01/11/2024 Modified 03/13/2024 Description A use-after-free vulnerability was found in iscsi_sw_tcp_session_create in drivers/scsi/iscsi_tcp.c in SCSI sub-component in the Linux Kernel. In this flaw an attacker could leak kernel internal information. Solution(s) redhat-upgrade-kernel redhat-upgrade-kernel-rt References CVE-2023-2162 RHSA-2024:0113 RHSA-2024:0134 RHSA-2024:0412 RHSA-2024:0431 RHSA-2024:0432 RHSA-2024:0439 RHSA-2024:0448 RHSA-2024:0575 View more

Ubuntu: (Multiple Advisories) (CVE-2023-29469): libxml2 vulnerabilities Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 04/19/2023 Created 05/05/2023 Added 04/21/2023 Modified 01/30/2025 Description An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the '\0' value). Solution(s) ubuntu-pro-upgrade-libxml2 ubuntu-pro-upgrade-libxml2-utils References https://attackerkb.com/topics/cve-2023-29469 CVE - 2023-29469 USN-6028-1 USN-6028-2

Red Hat: CVE-2023-2166: kernel: NULL pointer dereference in can_rcv_filter (Multiple Advisories) Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 04/19/2023 Created 01/27/2024 Added 01/26/2024 Modified 12/05/2024 Description A null pointer dereference issue was found in can protocol in net/can/af_can.c in the Linux before Linux. ml_priv may not be initialized in the receive path of CAN frames. A local user could use this flaw to crash the system or potentially cause a denial of service. Solution(s) redhat-upgrade-kernel redhat-upgrade-kernel-rt References CVE-2023-2166 RHSA-2024:0439 RHSA-2024:0448 RHSA-2024:0461 RHSA-2024:0724 RHSA-2024:0881 RHSA-2024:0897 RHSA-2024:1250 RHSA-2024:1306 RHSA-2024:1404 View more

Ubuntu: USN-6060-1 (CVE-2023-21946): MySQL vulnerabilities Severity 7 CVSS (AV:N/AC:L/Au:S/C:N/I:N/A:C) Published 04/18/2023 Created 05/10/2023 Added 05/09/2023 Modified 01/28/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). Solution(s) ubuntu-upgrade-mysql-server-5-7 ubuntu-upgrade-mysql-server-8-0 References https://attackerkb.com/topics/cve-2023-21946 CVE - 2023-21946 USN-6060-1

Java CPU April 2023 Oracle Java SE, Oracle GraalVM Enterprise Edition vulnerability (CVE-2023-21967) Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 04/18/2023 Created 07/19/2023 Added 07/19/2023 Modified 01/28/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H). Solution(s) jre-upgrade-latest References https://attackerkb.com/topics/cve-2023-21967 CVE - 2023-21967 http://www.oracle.com/security-alerts/cpuapr2023.html

Ubuntu: USN-6060-1 (CVE-2023-21955): MySQL vulnerabilities Severity 6 CVSS (AV:N/AC:L/Au:M/C:N/I:N/A:C) Published 04/18/2023 Created 05/10/2023 Added 05/09/2023 Modified 01/28/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Partition).Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Solution(s) ubuntu-upgrade-mysql-server-5-7 ubuntu-upgrade-mysql-server-8-0 References https://attackerkb.com/topics/cve-2023-21955 CVE - 2023-21955 USN-6060-1

Oracle E-Business Suite: CVE-2023-21973: Critical Patch Update Severity 5 CVSS (AV:N/AC:M/Au:S/C:P/I:P/A:N) Published 04/18/2023 Created 07/19/2023 Added 07/19/2023 Modified 01/28/2025 Description Vulnerability in the Oracle iProcurement product of Oracle E-Business Suite (component: E-Content Manager Catalog).Supported versions that are affected are 12.2.3-12.2.12. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle iProcurement.Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle iProcurement, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle iProcurement accessible data as well asunauthorized read access to a subset of Oracle iProcurement accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). Solution(s) oracle-ebs-apr-2023-cpu-12_2 References https://attackerkb.com/topics/cve-2023-21973 CVE - 2023-21973 https://support.oracle.com/epmos/faces/DocumentDisplay?id=2933342.1 https://www.oracle.com/security-alerts/cpuapr2023.html

Ubuntu: USN-6060-1 (CVE-2023-21933): MySQL vulnerabilities Severity 6 CVSS (AV:N/AC:L/Au:M/C:N/I:N/A:C) Published 04/18/2023 Created 05/10/2023 Added 05/09/2023 Modified 01/28/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL).Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Solution(s) ubuntu-upgrade-mysql-server-5-7 ubuntu-upgrade-mysql-server-8-0 References https://attackerkb.com/topics/cve-2023-21933 CVE - 2023-21933 USN-6060-1

Rocky Linux: CVE-2023-21954: java-1.8.0-openjdk (Multiple Advisories) Severity 7 CVSS (AV:N/AC:M/Au:N/C:C/I:N/A:N) Published 04/18/2023 Created 03/13/2024 Added 03/12/2024 Modified 01/28/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.Successful attacks of this vulnerability can result inunauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Confidentiality impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). Solution(s) rocky-upgrade-java-1.8.0-openjdk rocky-upgrade-java-1.8.0-openjdk-debuginfo rocky-upgrade-java-1.8.0-openjdk-debugsource rocky-upgrade-java-1.8.0-openjdk-demo rocky-upgrade-java-1.8.0-openjdk-demo-debuginfo rocky-upgrade-java-1.8.0-openjdk-demo-fastdebug rocky-upgrade-java-1.8.0-openjdk-demo-fastdebug-debuginfo rocky-upgrade-java-1.8.0-openjdk-demo-slowdebug rocky-upgrade-java-1.8.0-openjdk-demo-slowdebug-debuginfo rocky-upgrade-java-1.8.0-openjdk-devel rocky-upgrade-java-1.8.0-openjdk-devel-debuginfo rocky-upgrade-java-1.8.0-openjdk-devel-fastdebug rocky-upgrade-java-1.8.0-openjdk-devel-fastdebug-debuginfo rocky-upgrade-java-1.8.0-openjdk-devel-slowdebug rocky-upgrade-java-1.8.0-openjdk-devel-slowdebug-debuginfo rocky-upgrade-java-1.8.0-openjdk-fastdebug rocky-upgrade-java-1.8.0-openjdk-fastdebug-debuginfo rocky-upgrade-java-1.8.0-openjdk-headless rocky-upgrade-java-1.8.0-openjdk-headless-debuginfo rocky-upgrade-java-1.8.0-openjdk-headless-fastdebug rocky-upgrade-java-1.8.0-openjdk-headless-fastdebug-debuginfo rocky-upgrade-java-1.8.0-openjdk-headless-slowdebug rocky-upgrade-java-1.8.0-openjdk-headless-slowdebug-debuginfo rocky-upgrade-java-1.8.0-openjdk-slowdebug rocky-upgrade-java-1.8.0-openjdk-slowdebug-debuginfo rocky-upgrade-java-1.8.0-openjdk-src rocky-upgrade-java-1.8.0-openjdk-src-fastdebug rocky-upgrade-java-1.8.0-openjdk-src-slowdebug rocky-upgrade-java-11-openjdk rocky-upgrade-java-11-openjdk-debuginfo rocky-upgrade-java-11-openjdk-debugsource rocky-upgrade-java-11-openjdk-demo rocky-upgrade-java-11-openjdk-demo-fastdebug rocky-upgrade-java-11-openjdk-demo-slowdebug rocky-upgrade-java-11-openjdk-devel rocky-upgrade-java-11-openjdk-devel-debuginfo rocky-upgrade-java-11-openjdk-devel-fastdebug rocky-upgrade-java-11-openjdk-devel-fastdebug-debuginfo rocky-upgrade-java-11-openjdk-devel-slowdebug rocky-upgrade-java-11-openjdk-devel-slowdebug-debuginfo rocky-upgrade-java-11-openjdk-fastdebug rocky-upgrade-java-11-openjdk-fastdebug-debuginfo rocky-upgrade-java-11-openjdk-headless rocky-upgrade-java-11-openjdk-headless-debuginfo rocky-upgrade-java-11-openjdk-headless-fastdebug rocky-upgrade-java-11-openjdk-headless-fastdebug-debuginfo rocky-upgrade-java-11-openjdk-headless-slowdebug rocky-upgrade-java-11-openjdk-headless-slowdebug-debuginfo rocky-upgrade-java-11-openjdk-javadoc rocky-upgrade-java-11-openjdk-javadoc-zip rocky-upgrade-java-11-openjdk-jmods rocky-upgrade-java-11-openjdk-jmods-fastdebug rocky-upgrade-java-11-openjdk-jmods-slowdebug rocky-upgrade-java-11-openjdk-slowdebug rocky-upgrade-java-11-openjdk-slowdebug-debuginfo rocky-upgrade-java-11-openjdk-src rocky-upgrade-java-11-openjdk-src-fastdebug rocky-upgrade-java-11-openjdk-src-slowdebug rocky-upgrade-java-11-openjdk-static-libs rocky-upgrade-java-11-openjdk-static-libs-fastdebug rocky-upgrade-java-11-openjdk-static-libs-slowdebug rocky-upgrade-java-17-openjdk rocky-upgrade-java-17-openjdk-debuginfo rocky-upgrade-java-17-openjdk-debugsource rocky-upgrade-java-17-openjdk-demo rocky-upgrade-java-17-openjdk-demo-fastdebug rocky-upgrade-java-17-openjdk-demo-slowdebug rocky-upgrade-java-17-openjdk-devel rocky-upgrade-java-17-openjdk-devel-debuginfo rocky-upgrade-java-17-openjdk-devel-fastdebug rocky-upgrade-java-17-openjdk-devel-fastdebug-debuginfo rocky-upgrade-java-17-openjdk-devel-slowdebug rocky-upgrade-java-17-openjdk-devel-slowdebug-debuginfo rocky-upgrade-java-17-openjdk-fastdebug rocky-upgrade-java-17-openjdk-fastdebug-debuginfo rocky-upgrade-java-17-openjdk-headless rocky-upgrade-java-17-openjdk-headless-debuginfo rocky-upgrade-java-17-openjdk-headless-fastdebug rocky-upgrade-java-17-openjdk-headless-fastdebug-debuginfo rocky-upgrade-java-17-openjdk-headless-slowdebug rocky-upgrade-java-17-openjdk-headless-slowdebug-debuginfo rocky-upgrade-java-17-openjdk-javadoc rocky-upgrade-java-17-openjdk-javadoc-zip rocky-upgrade-java-17-openjdk-jmods rocky-upgrade-java-17-openjdk-jmods-fastdebug rocky-upgrade-java-17-openjdk-jmods-slowdebug rocky-upgrade-java-17-openjdk-slowdebug rocky-upgrade-java-17-openjdk-slowdebug-debuginfo rocky-upgrade-java-17-openjdk-src rocky-upgrade-java-17-openjdk-src-fastdebug rocky-upgrade-java-17-openjdk-src-slowdebug rocky-upgrade-java-17-openjdk-static-libs rocky-upgrade-java-17-openjdk-static-libs-fastdebug rocky-upgrade-java-17-openjdk-static-libs-slowdebug References https://attackerkb.com/topics/cve-2023-21954 CVE - 2023-21954 https://errata.rockylinux.org/RLSA-2023:1879 https://errata.rockylinux.org/RLSA-2023:1880 https://errata.rockylinux.org/RLSA-2023:1895 https://errata.rockylinux.org/RLSA-2023:1898 https://errata.rockylinux.org/RLSA-2023:1909

Alpine Linux: CVE-2023-21937: Vulnerability in Multiple Components Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 04/18/2023 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking).Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). Solution(s) alpine-linux-upgrade-openjdk11 alpine-linux-upgrade-openjdk17 alpine-linux-upgrade-openjdk8 alpine-linux-upgrade-openjdk20 References https://attackerkb.com/topics/cve-2023-21937 CVE - 2023-21937 https://security.alpinelinux.org/vuln/CVE-2023-21937

Alpine Linux: CVE-2023-21930: Vulnerability in Multiple Components Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:N) Published 04/18/2023 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.Successful attacks of this vulnerability can result inunauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data as well asunauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N). Solution(s) alpine-linux-upgrade-openjdk11 alpine-linux-upgrade-openjdk17 alpine-linux-upgrade-openjdk8 alpine-linux-upgrade-openjdk20 References https://attackerkb.com/topics/cve-2023-21930 CVE - 2023-21930 https://security.alpinelinux.org/vuln/CVE-2023-21930

Rocky Linux: CVE-2023-30608: Satellite-6.14 (RLSA-2023-6818) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 04/18/2023 Created 03/07/2024 Added 03/05/2024 Modified 01/28/2025 Description sqlparse is a non-validating SQL parser module for Python. In affected versions the SQL parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). This issue was introduced by commit `e75e358`. The vulnerability may lead to Denial of Service (DoS). This issues has been fixed in sqlparse 0.4.4 by commit `c457abd5f`. Users are advised to upgrade. There are no known workarounds for this issue. Solution(s) rocky-upgrade-libdb-cxx rocky-upgrade-libdb-cxx-debuginfo rocky-upgrade-libdb-debuginfo rocky-upgrade-libdb-debugsource rocky-upgrade-libdb-sql-debuginfo rocky-upgrade-libdb-sql-devel-debuginfo rocky-upgrade-libdb-utils-debuginfo References https://attackerkb.com/topics/cve-2023-30608 CVE - 2023-30608 https://errata.rockylinux.org/RLSA-2023:6818

Oracle Linux: CVE-2023-31486: ELSA-2023-7174:perl-HTTP-Tiny security update (MODERATE) (Multiple Advisories) Severity 7 CVSS (AV:N/AC:H/Au:N/C:C/I:C/A:N) Published 04/18/2023 Created 11/18/2023 Added 11/16/2023 Modified 11/28/2024 Description HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates. A vulnerability was found in Tiny, where a Perl core module and standalone CPAN package, does not verify TLS certificates by default. Users need to explicitly enable certificate verification with the verify_SSL=>1 flag to ensure secure HTTPS connections. This oversight can potentially expose applications to man-in-the-middle (MITM) attacks, where an attacker might intercept and manipulate data transmitted between the client and server. Solution(s) oracle-linux-upgrade-perl-http-tiny References https://attackerkb.com/topics/cve-2023-31486 CVE - 2023-31486 ELSA-2023-7174 ELSA-2023-6542

FreeBSD: VID-F504A8D2-E105-11ED-85F6-84A93843EB75 (CVE-2023-21935): MySQL -- Multiple vulnerabilities Severity 6 CVSS (AV:N/AC:L/Au:M/C:N/I:N/A:C) Published 04/18/2023 Created 05/05/2023 Added 04/23/2023 Modified 01/28/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Solution(s) freebsd-upgrade-package-mysql-client57 freebsd-upgrade-package-mysql-client80 freebsd-upgrade-package-mysql-connector-java freebsd-upgrade-package-mysql-server57 freebsd-upgrade-package-mysql-server80 References CVE-2023-21935

FreeBSD: VID-F504A8D2-E105-11ED-85F6-84A93843EB75 (CVE-2023-21946): MySQL -- Multiple vulnerabilities Severity 7 CVSS (AV:N/AC:L/Au:S/C:N/I:N/A:C) Published 04/18/2023 Created 05/05/2023 Added 04/23/2023 Modified 01/28/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). Solution(s) freebsd-upgrade-package-mysql-client57 freebsd-upgrade-package-mysql-client80 freebsd-upgrade-package-mysql-connector-java freebsd-upgrade-package-mysql-server57 freebsd-upgrade-package-mysql-server80 References CVE-2023-21946

FreeBSD: VID-F504A8D2-E105-11ED-85F6-84A93843EB75 (CVE-2023-21947): MySQL -- Multiple vulnerabilities Severity 6 CVSS (AV:N/AC:M/Au:M/C:N/I:N/A:C) Published 04/18/2023 Created 05/05/2023 Added 04/23/2023 Modified 01/28/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Components Services).Supported versions that are affected are 8.0.32 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). Solution(s) freebsd-upgrade-package-mysql-client57 freebsd-upgrade-package-mysql-client80 freebsd-upgrade-package-mysql-connector-java freebsd-upgrade-package-mysql-server57 freebsd-upgrade-package-mysql-server80 References CVE-2023-21947

Oracle Linux: CVE-2023-21945: ELSA-2024-1141:mysql security update (MODERATE) (Multiple Advisories) Severity 6 CVSS (AV:N/AC:L/Au:M/C:N/I:N/A:C) Published 04/18/2023 Created 02/24/2024 Added 02/22/2024 Modified 01/07/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Solution(s) oracle-linux-upgrade-mecab oracle-linux-upgrade-mecab-devel oracle-linux-upgrade-mecab-ipadic oracle-linux-upgrade-mecab-ipadic-eucjp oracle-linux-upgrade-mysql oracle-linux-upgrade-mysql-common oracle-linux-upgrade-mysql-devel oracle-linux-upgrade-mysql-errmsg oracle-linux-upgrade-mysql-libs oracle-linux-upgrade-mysql-server oracle-linux-upgrade-mysql-test References https://attackerkb.com/topics/cve-2023-21945 CVE - 2023-21945 ELSA-2024-1141 ELSA-2024-0894

Ubuntu: USN-6060-1 (CVE-2023-21940): MySQL vulnerabilities Severity 6 CVSS (AV:N/AC:M/Au:M/C:N/I:N/A:C) Published 04/18/2023 Created 05/10/2023 Added 05/09/2023 Modified 01/28/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Components Services).Supported versions that are affected are 8.0.32 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). Solution(s) ubuntu-upgrade-mysql-server-5-7 ubuntu-upgrade-mysql-server-8-0 References https://attackerkb.com/topics/cve-2023-21940 CVE - 2023-21940 USN-6060-1

Oracle Database: Critical Patch Update - April 2023 (CVE-2023-21934) Severity 8 CVSS (AV:N/AC:M/Au:S/C:C/I:C/A:N) Published 04/18/2023 Created 05/05/2023 Added 04/27/2023 Modified 01/28/2025 Description Vulnerability in the Java VM component of Oracle Database Server.Supported versions that are affected are 19c and21c. Difficult to exploit vulnerability allows low privileged attacker having User Account privilege with network access via TLS to compromise Java VM.Successful attacks of this vulnerability can result inunauthorized creation, deletion or modification access to critical data or all Java VM accessible data as well asunauthorized access to critical data or complete access to all Java VM accessible data. CVSS 3.1 Base Score 6.8 (Confidentiality and Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N). Solution(s) oracle-apply-apr-2023-cpu References https://attackerkb.com/topics/cve-2023-21934 CVE - 2023-21934 http://www.oracle.com/security-alerts/cpuapr2023.html https://support.oracle.com/rs?type=doc&id=2923348.1

Ubuntu: USN-6060-1 (CVE-2023-21962): MySQL vulnerabilities Severity 6 CVSS (AV:N/AC:L/Au:M/C:N/I:N/A:C) Published 04/18/2023 Created 05/10/2023 Added 05/09/2023 Modified 01/28/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Components Services).Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Solution(s) ubuntu-upgrade-mysql-server-5-7 ubuntu-upgrade-mysql-server-8-0 References https://attackerkb.com/topics/cve-2023-21962 CVE - 2023-21962 USN-6060-1

VMware Photon OS: CVE-2023-21967 Severity 5 CVSS (AV:N/AC:H/Au:N/C:N/I:N/A:C) Published 04/18/2023 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H). Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2023-21967 CVE - 2023-21967

VMware Photon OS: CVE-2023-21980 Severity 7 CVSS (AV:N/AC:H/Au:S/C:C/I:C/A:C) Published 04/18/2023 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Client programs).Supported versions that are affected are 5.7.41 and prior and8.0.32 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.1 Base Score 7.1 (Confidentiality, Integrity and Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H). Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2023-21980 CVE - 2023-21980