Vulnerability CVE-2019-2692

Vulnerability Name:

CVE-2019-2692 (CCN-159784)

Assigned:

2018-12-14

Published:

2019-04-16

Updated:

2020-08-24

Summary:

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.15 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVSS v3 Severity:

6.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H)
5.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): High Privileges Required (PR): High User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

6.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H)
5.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): High Privileges Required (PR): High User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

3.5 Low (CVSS v2 Vector: AV:L/AC:H/Au:S/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): High Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

5.9 Medium (CCN CVSS v2 Vector: AV:L/AC:H/Au:M/C:C/I:C/A:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): High Athentication (Au): Multiple_Instances
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

CWE-noinfo

Vulnerability Consequences:

Other

References:

Source: MITRE
Type: CNA
CVE-2019-2692

Source: CCN
Type: Oracle CPUApr2019
Oracle Critical Patch Update Advisory - April 2019

Source: MISC
Type: Patch, Vendor Advisory
http://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Source: BID
Type: UNKNOWN
107925

Source: XF
Type: UNKNOWN
oracle-cpuapr2019-cve20192692(159784)

Source: CONFIRM
Type: UNKNOWN
https://security.netapp.com/advisory/ntap-20190423-0002/

Source: CCN
Type: IBM Security Bulletin 1170046 (API Connect)
IBM API Connect is potentially impacted by vulnerabilities in MySQL

Vulnerable Configuration:

Configuration 1:

cpe:/a:oracle:mysql_connector/j:*:*:*:*:*:*:*:* (Version <= 8.0.15)

Configuration CCN 1:

cpe:/a:ibm:api_connect:5.0.8.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:api_connect:5.0.8.7:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:com.ubuntu.cosmic:def:20192692000	V	CVE-2019-2692 on Ubuntu 18.10 (cosmic) - medium.	2019-04-23
oval:com.ubuntu.cosmic:def:201926920000000	V	CVE-2019-2692 on Ubuntu 18.10 (cosmic) - medium.	2019-04-23
oval:com.ubuntu.bionic:def:20192692000	V	CVE-2019-2692 on Ubuntu 18.04 LTS (bionic) - medium.	2019-04-23
oval:com.ubuntu.bionic:def:201926920000000	V	CVE-2019-2692 on Ubuntu 18.04 LTS (bionic) - medium.	2019-04-23
oval:com.ubuntu.xenial:def:20192692000	V	CVE-2019-2692 on Ubuntu 16.04 LTS (xenial) - medium.	2019-04-23
oval:com.ubuntu.xenial:def:201926920000000	V	CVE-2019-2692 on Ubuntu 16.04 LTS (xenial) - medium.	2019-04-23
oval:com.ubuntu.trusty:def:20192692000	V	CVE-2019-2692 on Ubuntu 14.04 LTS (trusty) - medium.	2019-04-23

BACK