CVE-2023-22102 in Communications Cloud Native Core Unified Data Repositoryinfo

Summary

by MITRE • 10/25/2023

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.1.0 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 03/06/2025

The CVE-2023-22102 vulnerability represents a critical security flaw within Oracle MySQL Connectors, specifically affecting Connector/J versions 8.1.0 and earlier. This vulnerability exists within the MySQL Connectors component, which serves as a crucial bridge between applications and MySQL database systems, facilitating data exchange and connectivity. The flaw manifests as a difficulty to exploit condition that allows unauthenticated attackers with network-level access to compromise the affected MySQL Connectors, creating a significant risk for database environments that rely on these connectors for application connectivity.

The technical nature of this vulnerability stems from insufficient authentication mechanisms within the Connector/J component, enabling attackers to establish unauthorized connections and potentially gain full control over the affected connectors. The CVSS score of 8.3 reflects the severity of impact across confidentiality, integrity, and availability domains, with the vector indicating network accessibility, high attack complexity, no privilege requirements, and the necessity of human interaction for successful exploitation. This classification places the vulnerability in the high-risk category, as it can be leveraged by attackers without requiring elevated privileges or specialized knowledge beyond basic network access.

The operational impact of this vulnerability extends beyond the immediate MySQL Connectors component, as evidenced by the scope change aspect that allows attacks to significantly affect additional products. This characteristic demonstrates how a single vulnerability can create cascading effects within complex IT environments where MySQL Connectors may interface with multiple systems, applications, and services. Successful exploitation could result in complete takeover of the MySQL Connectors, potentially enabling attackers to access sensitive database information, modify data integrity, or disrupt availability of database services that depend on these connectors for proper operation.

Organizations should prioritize immediate remediation of this vulnerability by upgrading to MySQL Connector/J versions that address the identified flaw, as the difficulty to exploit nature does not diminish the potential for serious consequences. The requirement for human interaction suggests that social engineering or targeted attacks may be necessary for exploitation, but this does not eliminate the risk entirely. Security teams should implement network segmentation, monitor for unusual connection patterns, and ensure proper access controls are in place to minimize the attack surface. This vulnerability aligns with CWE-287, which addresses improper authentication issues, and may map to ATT&CK techniques involving initial access through network services and privilege escalation within database environments. The scope change component indicates potential lateral movement opportunities for attackers who successfully exploit this vulnerability, making comprehensive monitoring and incident response procedures essential for maintaining security posture.

Responsible

Oracle

Reservation

12/17/2022

Disclosure

10/25/2023

Moderation

accepted

Entry

4

Relate

show

CPE

ready

EPSS

0.00872

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!