Oracle MySQL Cluster up to 8.0.20 Packaging injection

Summaryinfo

A vulnerability classified as problematic was found in Oracle MySQL Cluster up to 7.3.29/7.4.28/7.5.18/7.6.14/8.0.20. The impacted element is an unknown function of the component Packaging. Such manipulation leads to injection. This vulnerability is documented as CVE-2020-5258. The attack can be executed remotely. There is not any exploit available. Upgrading the affected component is advised.

Detailsinfo

A vulnerability was found in Oracle MySQL Cluster up to 7.3.29/7.4.28/7.5.18/7.6.14/8.0.20 (Database Software) and classified as problematic. Affected by this issue is an unknown function of the component Packaging. The manipulation with an unknown input leads to a injection vulnerability. Using CWE to declare the problem leads to CWE-74. The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. The impact remains unknown.

The weakness was released 07/15/2020 as Oracle Critical Patch Update Advisory - July 2020 as confirmed advisory (Website). The advisory is shared for download at oracle.com. This vulnerability is handled as CVE-2020-5258. The attack may be launched remotely. The successful exploitation requires a simple authentication. Successful exploitation requires user interaction by the victim. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1055.

Upgrading eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability.

Entries connected to this vulnerability are available at VDB-151279, VDB-158073, VDB-158074 and VDB-158075. Once again VulDB remains the best source for vulnerability data.

Productinfo

Type

• Database Software

Vendor

• Oracle

Name

• MySQL Cluster

Version

• 7.3.0
• 7.3.1
• 7.3.2
• 7.3.3
• 7.3.4
• 7.3.5
• 7.3.6
• 7.3.7
• 7.3.8
• 7.3.9
• 7.3.10
• 7.3.11
• 7.3.12
• 7.3.13
• 7.3.14
• 7.3.15
• 7.3.16
• 7.3.17
• 7.3.18
• 7.3.19
• 7.3.20
• 7.3.21
• 7.3.22
• 7.3.23
• 7.3.24
• 7.3.25
• 7.3.26
• 7.3.27
• 7.3.28
• 7.3.29
• 7.4.0
• 7.4.1
• 7.4.2
• 7.4.3
• 7.4.4
• 7.4.5
• 7.4.6
• 7.4.7
• 7.4.8
• 7.4.9
• 7.4.10
• 7.4.11
• 7.4.12
• 7.4.13
• 7.4.14
• 7.4.15
• 7.4.16
• 7.4.17
• 7.4.18
• 7.4.19
• 7.4.20
• 7.4.21
• 7.4.22
• 7.4.23
• 7.4.24
• 7.4.25
• 7.4.26
• 7.4.27
• 7.4.28
• 7.5.0
• 7.5.1
• 7.5.2
• 7.5.3
• 7.5.4
• 7.5.5
• 7.5.6
• 7.5.7
• 7.5.8
• 7.5.9
• 7.5.10
• 7.5.11
• 7.5.12
• 7.5.13
• 7.5.14
• 7.5.15
• 7.5.16
• 7.5.17
• 7.5.18
• 7.6.0
• 7.6.1
• 7.6.2
• 7.6.3
• 7.6.4
• 7.6.5
• 7.6.6
• 7.6.7
• 7.6.8
• 7.6.9
• 7.6.10
• 7.6.11
• 7.6.12
• 7.6.13
• 7.6.14
• 8.0.0
• 8.0.1
• 8.0.2
• 8.0.3
• 8.0.4
• 8.0.5
• 8.0.6
• 8.0.7
• 8.0.8
• 8.0.9
• 8.0.10
• 8.0.11
• 8.0.12
• 8.0.13
• 8.0.14
• 8.0.15
• 8.0.16
• 8.0.17
• 8.0.18
• 8.0.19
• 8.0.20

License

• open-source

Website

• Vendor: https://www.oracle.com

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion