Bug 2196673 (CVE-2023-21971)

Summary: CVE-2023-21971 mysql-connector-java: Connector/J unspecified vulnerability (CPU April 2023)
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, alampare, alazarot, anstephe, asoldano, ataylor, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, clement.escoffier, dandread, darran.lofthouse, databases-maint, dhanak, dkreling, dosoudil, drichtar, emingora, fjuma, gjospin, gmalinko, gsmet, ibek, ivassile, iweiss, janstey, jmartisk, jolee, jpechane, jrokos, jross, jschatte, jstastny, kverlaen, lbacciot, lgao, lthon, max.andersen, mnovotny, mosmerov, mschorm, msochure, msvehla, nwallace, pdelbell, pdrozd, peholase, pgallagh, pjindal, pmackay, probinso, pskopek, rguimara, rowaters, rruss, rstancel, rsvoboda, sbiarozk, smaestri, sthorger, tom.jenkinson, tqvarnst, zmiklank
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: mysql-connector-java 8.0.33 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in MySQL Connector. Successful attacks of this vulnerability can result in the unauthorized ability to cause a hang or frequently repeatable crash, resulting in complete denial of service of MySQL Connectors. This issue can also result in an unauthorized update, insert or delete access to some of the MySQL Connectors' accessible data, and unauthorized read access to a subset of MySQL Connectors' accessible data.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2196674    
Bug Blocks: 2196675    

Description Mauro Matteo Cascella 2023-05-09 19:54:58 UTC 
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.32 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors as well as unauthorized update, insert or delete access to some of MySQL Connectors accessible data and unauthorized read access to a subset of MySQL Connectors accessible data.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-21971
https://www.oracle.com/security-alerts/cpuapr2023.html#AppendixMSQL
Comment 1 Mauro Matteo Cascella 2023-05-09 19:55:24 UTC 
Created mysql-connector-java tracking bugs for this issue:

Affects: fedora-all [bug 2196674]