Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : Pluggable Auth). Supported versions that are affected are 5.7.25 and prior and 8.0.15 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. External References: http://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
Even though Oracle Apr 2019 CPU was released more than a week ago, suggesting users to upgrade to MySQL 5.7.26 or 8.0.16, those versions have not been released yet. Therefore, there are also no actionable details available about this flaw at this time.
Looking at the release notes for MySQL 5.7.26 and 8.0.16, there is the following issue listed: The authentication_ldap_simple plugin could enforce authentication incorrectly. (Bug #29637712) https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-26.html https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-16.html However, the authentication_ldap_simple plugin is a feature only available in the MySQL Enterprise Edition as note in its documentation: https://dev.mysql.com/doc/refman/8.0/en/ldap-pluggable-authentication.html The plugin is not available in the Community Edition, which is included in Red Hat products. There does not seem to be any other change that could be related to this CVE mentioned in the release notes or found in the code changes between 5.7.25 and 5.7.26.