diff --git a/.gitignore b/.gitignore index 551ca0990..32242a31d 100644 --- a/.gitignore +++ b/.gitignore @@ -16,4 +16,5 @@ test_db/** result* result_* sql/*.sql -sql/*.csv \ No newline at end of file +sql/*.csv +cve.csv \ No newline at end of file diff --git a/FEATURES.md b/FEATURES.md index aa11f00d9..e8f259e4c 100644 --- a/FEATURES.md +++ b/FEATURES.md @@ -2,11 +2,7 @@ Features list for option: --feature (dev only) --- -* calculations -* compare_tuner_version -* cpu_cores * cve_recommendations -* grep_file_contents * log_file_recommendations * make_recommendations * mariadb_aria @@ -17,7 +13,6 @@ Features list for option: --feature (dev only) * mariadb_threadpool * mariadb_tokudb * mariadb_xtradb -* merge_hash * mysql_databases * mysql_indexes * mysql_innodb @@ -29,14 +24,8 @@ Features list for option: --feature (dev only) * mysql_table_structures * mysql_tables * mysql_triggers -* mysql_version_eq -* mysql_version_ge -* mysql_version_le * mysql_views -* os_setup -* pretty_uptime * security_recommendations * system_recommendations -* update_tuner_version * validate_mysql_version * validate_tuner_version diff --git a/Makefile b/Makefile new file mode 100644 index 000000000..5b0bd45d7 --- /dev/null +++ b/Makefile @@ -0,0 +1,66 @@ +VERSION=$(shell grep '\- Version ' mysqltuner.pl | awk '{ print $$NF}') +UPDATE_SUB_VERSION=$(shell echo $(VERSION) | awk -F. '{ print $$1"."$$2"."$$3+1 }') +UPDATE_MINOR_VERSION=$(shell echo $(VERSION) | awk -F. '{ print $$1"."$$2+1".0" }') +UPDATE_MAJOR_VERSION=$(shell echo $(VERSION) | awk -F. '{ print $$1+1".0.0" }') + +all: generate_cve generate_features generate_usage tidy increment_sub_version + +help: + @echo "Usage: make " + @echo " help: Show this help" + @echo " generate_usage: Generate USAGE.md" + @echo " generate_cve: Generate vulnerabilities.csv" + @echo " generate_features: Generate FEATURES.md" + @echo " tidy: Tidy mysqltuner.pl" + @echo " installdep_debian: Install dependencies on Debian" + @echo " increment_sub_version: Increment sub version" + @echo " increment_minor_version: Increment minor version" + @echo " increment_major_version: Increment major version" + @echo " push: Push to GitHub" + + +installdep_debian: + apt install -y cpanminus libpod-markdown-perl libwww-mechanize-gzip-perl perltidy dos2unix + cpanm File::Util + +tidy: + dos2unix ./mysqltuner.pl + perltidy -b ./mysqltuner.pl + git add ./mysqltuner.pl + git commit -m "Indenting mysqltuner at $(shell date --iso=seconds)" + +generate_usage: + pod2markdown mysqltuner.pl >USAGE.md + git add ./USAGE.md + git commit -m "Generate USAGE.md at $(shell date --iso=seconds)" + +generate_cve: + perl ./build/updateCVElist.pl + git add ./vulnerabilities.csv + git commit -m "Generate CVE list at $(shell date --iso=seconds)" + +generate_features: + perl ./build/genFeatures.sh + git add ./FEATURES.md + git commit -m "Generate FEATURES.md at $(shell date --iso=seconds)" + +increment_sub_version: + @echo "Incrementing sub version from $(VERSION) to $(UPDATE_SUB_VERSION)" + sed -i "s/$(VERSION)/$(UPDATE_SUB_VERSION)/" mysqltuner.pl *.md + git add ./*.md ./mysqltuner.pl + git commit -m "Generate $(UPDATE_SUB_VERSION) sub version at $(shell date --iso=seconds)" + +increment_minor_version: + @echo "Incrementing minor version from $(VERSION) to $(UPDATE_MINOR_VERSION)" + sed -i "s/$(VERSION)/$(UPDATE_MINOR_VERSION)/" mysqltuner.pl *.md + git add ./*.md ./mysqltuner.pl + git commit -m "Generate $(UPDATE_SUB_VERSION) minor version at $(shell date --iso=seconds)" + +increment_major_version: + @echo "Incrementing major version from $(VERSION) to $(UPDATE_MAJOR_VERSION)" + sed -i "s/$(VERSION)/$(UPDATE_MAJOR_VERSION)/" mysqltuner.pl *.md + git add ./*.md ./mysqltuner.pl + git commit -m "Generate $(UPDATE_SUB_VERSION) major version at $(shell date --iso=seconds)" + +push: + git push \ No newline at end of file diff --git a/USAGE.md b/USAGE.md index 437e7f780..34c190dc5 100644 --- a/USAGE.md +++ b/USAGE.md @@ -1,6 +1,6 @@ # NAME - MySQLTuner 2.2.7 - MySQL High Performance Tuning Script + MySQLTuner 2.2.9 - MySQL High Performance Tuning Script # IMPORTANT USAGE GUIDELINES diff --git a/build/genFeatures.sh b/build/genFeatures.sh index 3736fcfef..17fdecae3 100644 --- a/build/genFeatures.sh +++ b/build/genFeatures.sh @@ -4,10 +4,10 @@ ( export LANG=C echo -e "Features list for option: --feature (dev only)\n---\n\n" - grep -E '^sub ' ../mysqltuner.pl | \ + grep -E '^sub ' ./mysqltuner.pl | \ perl -pe 's/sub //;s/\s*\{//g' | \ sort -n | \ perl -pe 's/^/* /g' | \ - grep -vE '(get_|close_|check_|memerror|human_size|string2file|file2|arr2|dump|which|percentage|trim|is_|hr_|info|print|select|wrap|remove_)' -) > ../FEATURES.md -cat ../FEATURES.md + grep -vE '(get_|close_|check_|memerror|cpu_cores|compare_tuner_version|grep_file_contents|update_tuner_version|mysql_version_|calculations|merge_hash|os_setup|pretty_uptime|update_tuner_version|human_size|string2file|file2|arr2|dump|which|percentage|trim|is_|hr_|info|print|select|wrap|remove_)' +) > ./FEATURES.md +cat ./FEATURES.md diff --git a/build/updateCVElist.pl b/build/updateCVElist.pl index 5369e4522..7c8203d58 100644 --- a/build/updateCVElist.pl +++ b/build/updateCVElist.pl @@ -49,7 +49,7 @@ sub AUTOLOAD { my @versions; my $temp; -unlink '../vulnerabilities.csv' if -f '../vulnerabilities.csv'; +unlink './vulnerabilities.csv' if -f './vulnerabilities.csv'; open(CVE, 'cve.csv') or die("Could not open file."); foreach my $line () { if ($line =~ /(mysql|mariadb|percona)/i @@ -69,7 +69,7 @@ sub AUTOLOAD { #print $vers."\n".Dumper @nb; #print "$line"; #exit 0 if ($line =~/before/i) ; - $f->write_file('file' => '../vulnerabilities.csv', 'content' => "$nb[0].$nb[1].$nb[2];$nb[0];$nb[1];$nb[2];$line", 'mode' => 'append'); + $f->write_file('file' => './vulnerabilities.csv', 'content' => "$nb[0].$nb[1].$nb[2];$nb[0];$nb[1];$nb[2];$line", 'mode' => 'append'); } } } diff --git a/mysqltuner.pl b/mysqltuner.pl index d2518d6b2..25bfa8388 100644 --- a/mysqltuner.pl +++ b/mysqltuner.pl @@ -1,5 +1,5 @@ #!/usr/bin/env perl -# mysqltuner.pl - Version 2.2.8 +# mysqltuner.pl - Version 2.2.9 # High Performance MySQL Tuning Script # Copyright (C) 2015-2023 Jean-Marie Renouard - jmrenouard@gmail.com # Copyright (C) 2006-2023 Major Hayden - major@mhtx.net @@ -57,7 +57,7 @@ package main; #use Env; # Set up a few variables for use in the script -my $tunerversion = "2.2.8"; +my $tunerversion = "2.2.9"; my ( @adjvars, @generalrec ); # Set defaults @@ -7357,7 +7357,7 @@ sub which { =head1 NAME - MySQLTuner 2.2.8 - MySQL High Performance Tuning Script + MySQLTuner 2.2.9 - MySQL High Performance Tuning Script =head1 IMPORTANT USAGE GUIDELINES diff --git a/vulnerabilities.csv b/vulnerabilities.csv index 6d634bd26..eb1cb7a91 100644 --- a/vulnerabilities.csv +++ b/vulnerabilities.csv @@ -1716,8 +1716,8 @@ 1.3.0;1;3;0;CVE-2022-44644;Candidate;"In Apache Linkis <=1.3.0 when used with the MySQL Connector/J in the data source module; an authenticated attacker could read arbitrary local files by connecting a rogue MySQL server; By adding allowLoadLocalInfile to true in the JDBC parameter. Therefore; the parameters in the JDBC URL should be blacklisted. Versions of Apache Linkis <= 1.3.0 will be affected. We recommend users upgrade the version of Linkis to version 1.3.1";"MISC:https://lists.apache.org/thread/hwq9ytq6y1kdh9lz5znptkcrdll9x85h | URL:https://lists.apache.org/thread/hwq9ytq6y1kdh9lz5znptkcrdll9x85h";Assigned (20221103);"None (candidate not yet proposed)";"" 1.3.1;1;3;1;CVE-2022-44644;Candidate;"In Apache Linkis <=1.3.0 when used with the MySQL Connector/J in the data source module; an authenticated attacker could read arbitrary local files by connecting a rogue MySQL server; By adding allowLoadLocalInfile to true in the JDBC parameter. Therefore; the parameters in the JDBC URL should be blacklisted. Versions of Apache Linkis <= 1.3.0 will be affected. We recommend users upgrade the version of Linkis to version 1.3.1";"MISC:https://lists.apache.org/thread/hwq9ytq6y1kdh9lz5znptkcrdll9x85h | URL:https://lists.apache.org/thread/hwq9ytq6y1kdh9lz5znptkcrdll9x85h";Assigned (20221103);"None (candidate not yet proposed)";"" 3.17.0;3;17;0;CVE-2022-45136;Candidate;"** UNSUPPORTED WHEN ASSIGNED ** Apache Jena SDB 3.17.0 and earlier is vulnerable to a JDBC Deserialisation attack if the attacker is able to control the JDBC URL used or cause the underlying database server to return malicious data. The mySQL JDBC driver in particular is known to be vulnerable to this class of attack. As a result an application using Apache Jena SDB can be subject to RCE when connected to a malicious database server. Apache Jena SDB has been EOL since December 2020 and users should migrate to alternative options e.g. Apache Jena TDB 2.";"MISC:https://lists.apache.org/thread/mc77cdl5stgjtjoldk467gdf756qjt31 | URL:https://lists.apache.org/thread/mc77cdl5stgjtjoldk467gdf756qjt31 | MLIST:[oss-security] 20221114 CVE-2022-45136: JDBC Deserialisation in Apache Jena SDB | URL:http://www.openwall.com/lists/oss-security/2022/11/14/5";Assigned (20221110);"None (candidate not yet proposed)";"" -10.3.33;10;3;33;CVE-2022-47015;Candidate;"MariaDB Server before 10.3.34 thru 10.9.3 is vulnerable to Denial of Service. It is possible for function spider_db_mbase::print_warnings to dereference a null pointer.";"CONFIRM:https://security.netapp.com/advisory/ntap-20230309-0009/ | MISC:https://github.com/MariaDB/server/commit/be0a46b3d52b58956fd0d47d040b9f4514406954 | URL:https://github.com/MariaDB/server/commit/be0a46b3d52b58956fd0d47d040b9f4514406954 | MLIST:[debian-lts-announce] 20230604 [SECURITY] [DLA 3444-1] mariadb-10.3 security update | URL:https://lists.debian.org/debian-lts-announce/2023/06/msg00005.html";Assigned (20221212);"None (candidate not yet proposed)";"" -10.9.2;10;9;2;CVE-2022-47015;Candidate;"MariaDB Server before 10.3.34 thru 10.9.3 is vulnerable to Denial of Service. It is possible for function spider_db_mbase::print_warnings to dereference a null pointer.";"CONFIRM:https://security.netapp.com/advisory/ntap-20230309-0009/ | MISC:https://github.com/MariaDB/server/commit/be0a46b3d52b58956fd0d47d040b9f4514406954 | URL:https://github.com/MariaDB/server/commit/be0a46b3d52b58956fd0d47d040b9f4514406954 | MLIST:[debian-lts-announce] 20230604 [SECURITY] [DLA 3444-1] mariadb-10.3 security update | URL:https://lists.debian.org/debian-lts-announce/2023/06/msg00005.html";Assigned (20221212);"None (candidate not yet proposed)";"" +10.3.33;10;3;33;CVE-2022-47015;Candidate;"MariaDB Server before 10.3.34 thru 10.9.3 is vulnerable to Denial of Service. It is possible for function spider_db_mbase::print_warnings to dereference a null pointer.";"CONFIRM:https://security.netapp.com/advisory/ntap-20230309-0009/ | FEDORA:FEDORA-2023-381f23a0ae | URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O22PO3Q6TRSNJI2A2WTJH3VVCHEKBF6C/ | FEDORA:FEDORA-2023-b4ff407364 | URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SUQ33SPQCZQD63TWAM3XKFNVNFRGPFYU/ | MISC:https://github.com/MariaDB/server/commit/be0a46b3d52b58956fd0d47d040b9f4514406954 | URL:https://github.com/MariaDB/server/commit/be0a46b3d52b58956fd0d47d040b9f4514406954 | MLIST:[debian-lts-announce] 20230604 [SECURITY] [DLA 3444-1] mariadb-10.3 security update | URL:https://lists.debian.org/debian-lts-announce/2023/06/msg00005.html";Assigned (20221212);"None (candidate not yet proposed)";"" +10.9.2;10;9;2;CVE-2022-47015;Candidate;"MariaDB Server before 10.3.34 thru 10.9.3 is vulnerable to Denial of Service. It is possible for function spider_db_mbase::print_warnings to dereference a null pointer.";"CONFIRM:https://security.netapp.com/advisory/ntap-20230309-0009/ | FEDORA:FEDORA-2023-381f23a0ae | URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O22PO3Q6TRSNJI2A2WTJH3VVCHEKBF6C/ | FEDORA:FEDORA-2023-b4ff407364 | URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SUQ33SPQCZQD63TWAM3XKFNVNFRGPFYU/ | MISC:https://github.com/MariaDB/server/commit/be0a46b3d52b58956fd0d47d040b9f4514406954 | URL:https://github.com/MariaDB/server/commit/be0a46b3d52b58956fd0d47d040b9f4514406954 | MLIST:[debian-lts-announce] 20230604 [SECURITY] [DLA 3444-1] mariadb-10.3 security update | URL:https://lists.debian.org/debian-lts-announce/2023/06/msg00005.html";Assigned (20221212);"None (candidate not yet proposed)";"" 8.0.31;8;0;31;CVE-2023-21836;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpujan2023.html";Assigned (20221217);"None (candidate not yet proposed)";"" 5.7.40;5;7;40;CVE-2023-21840;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: PS). Supported versions that are affected are 5.7.40 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpujan2023.html";Assigned (20221217);"None (candidate not yet proposed)";"" 8.0.31;8;0;31;CVE-2023-21863;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpujan2023.html";Assigned (20221217);"None (candidate not yet proposed)";"" @@ -1756,6 +1756,7 @@ 8.0.32;8;0;32;CVE-2023-21945;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230427-0007/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpuapr2023.html";Assigned (20221217);"None (candidate not yet proposed)";"" 8.0.32;8;0;32;CVE-2023-21946;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230427-0007/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpuapr2023.html";Assigned (20221217);"None (candidate not yet proposed)";"" 8.0.32;8;0;32;CVE-2023-21947;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Components Services). Supported versions that are affected are 8.0.32 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230427-0007/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpuapr2023.html";Assigned (20221217);"None (candidate not yet proposed)";"" +8.0.27;8;0;27;CVE-2023-21950;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230725-0005/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpujul2023.html";Assigned (20221217);"None (candidate not yet proposed)";"" 8.0.32;8;0;32;CVE-2023-21953;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Partition). Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230427-0007/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpuapr2023.html";Assigned (20221217);"None (candidate not yet proposed)";"" 8.0.32;8;0;32;CVE-2023-21955;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Partition). Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230427-0007/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpuapr2023.html";Assigned (20221217);"None (candidate not yet proposed)";"" 8.0.32;8;0;32;CVE-2023-21962;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Components Services). Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230427-0007/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpuapr2023.html";Assigned (20221217);"None (candidate not yet proposed)";"" @@ -1768,20 +1769,34 @@ 5.7.41;5;7;41;CVE-2023-21980;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Client programs). Supported versions that are affected are 5.7.41 and prior and 8.0.32 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.1 Base Score 7.1 (Confidentiality; Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230427-0007/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpuapr2023.html";Assigned (20221217);"None (candidate not yet proposed)";"" 8.0.32;8;0;32;CVE-2023-21980;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Client programs). Supported versions that are affected are 5.7.41 and prior and 8.0.32 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.1 Base Score 7.1 (Confidentiality; Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230427-0007/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpuapr2023.html";Assigned (20221217);"None (candidate not yet proposed)";"" 8.0.32;8;0;32;CVE-2023-21982;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230427-0007/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpuapr2023.html";Assigned (20221217);"None (candidate not yet proposed)";"" +8.0.33;8;0;33;CVE-2023-22005;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 8.0.33 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230725-0005/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpujul2023.html";Assigned (20221217);"None (candidate not yet proposed)";"" +5.7.41;5;7;41;CVE-2023-22007;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 5.7.41 and prior and 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230725-0005/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpujul2023.html";Assigned (20221217);"None (candidate not yet proposed)";"" +8.0.32;8;0;32;CVE-2023-22007;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 5.7.41 and prior and 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230725-0005/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpujul2023.html";Assigned (20221217);"None (candidate not yet proposed)";"" +8.0.33;8;0;33;CVE-2023-22008;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230725-0005/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpujul2023.html";Assigned (20221217);"None (candidate not yet proposed)";"" +8.0.33;8;0;33;CVE-2023-22033;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.33 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230725-0005/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpujul2023.html";Assigned (20221217);"None (candidate not yet proposed)";"" +8.0.33;8;0;33;CVE-2023-22038;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update; insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 2.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230725-0005/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpujul2023.html";Assigned (20221217);"None (candidate not yet proposed)";"" +8.0.33;8;0;33;CVE-2023-22046;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230725-0005/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpujul2023.html";Assigned (20221217);"None (candidate not yet proposed)";"" +8.0.33;8;0;33;CVE-2023-22048;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Pluggable Auth). Supported versions that are affected are 8.0.33 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230725-0005/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpujul2023.html";Assigned (20221217);"None (candidate not yet proposed)";"" +5.7.42;5;7;42;CVE-2023-22053;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Client programs). Supported versions that are affected are 5.7.42 and prior and 8.0.33 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server and unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 5.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230725-0005/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpujul2023.html";Assigned (20221217);"None (candidate not yet proposed)";"" +8.0.33;8;0;33;CVE-2023-22053;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Client programs). Supported versions that are affected are 5.7.42 and prior and 8.0.33 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server and unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 5.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230725-0005/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpujul2023.html";Assigned (20221217);"None (candidate not yet proposed)";"" +8.0.33;8;0;33;CVE-2023-22054;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230725-0005/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpujul2023.html";Assigned (20221217);"None (candidate not yet proposed)";"" +8.0.33;8;0;33;CVE-2023-22056;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230725-0005/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpujul2023.html";Assigned (20221217);"None (candidate not yet proposed)";"" +8.0.33;8;0;33;CVE-2023-22057;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230725-0005/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpujul2023.html";Assigned (20221217);"None (candidate not yet proposed)";"" +8.0.33;8;0;33;CVE-2023-22058;Candidate;"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.33 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).";"CONFIRM:https://security.netapp.com/advisory/ntap-20230725-0005/ | MISC:Oracle Advisory | URL:https://www.oracle.com/security-alerts/cpujul2023.html";Assigned (20221217);"None (candidate not yet proposed)";"" 7.0.0;7;0;0;CVE-2023-22974;Candidate;"A Path Traversal in setup.php in OpenEMR < 7.0.0 allows remote unauthenticated users to read arbitrary files by controlling a connection to an attacker-controlled MySQL server.";"MISC:https://www.open-emr.org/wiki/index.php/OpenEMR_Patches#7.0.0_Patch_.2811.2F30.2F22.29 | MISC:https://www.sonarsource.com/blog/openemr-remote-code-execution-in-your-healthcare-system/";Assigned (20230111);"None (candidate not yet proposed)";"" 20.5.0;20;5;0;CVE-2023-28630;Candidate;"GoCD is an open source continuous delivery server. In GoCD versions from 20.5.0 and below 23.1.0; if the server environment is not correctly configured by administrators to provide access to the relevant PostgreSQL or MySQL backup tools; the credentials for database access may be unintentionally leaked to admin alerts on the GoCD user interface. The vulnerability is triggered only if the GoCD server host is misconfigured to have backups enabled; but does not have access to the `pg_dump` or `mysqldump` utility tools to backup the configured database type (PostgreSQL or MySQL respectively). In such cases; failure to launch the expected backup utility reports the shell environment used to attempt to launch in the server admin alert; which includes the plaintext database password supplied to the configured tool. This vulnerability does not affect backups of the default on-disk H2 database that GoCD is configured to use. This issue has been addressed and fixed in GoCD 23.1.0. Users are advised to upgrade. Users unable to upgrade may disable backups; or administrators should ensure that the required `pg_dump` (PostgreSQL) or `mysqldump` (MySQL) binaries are available on the GoCD server when backups are triggered.";"MISC:https://github.com/gocd/gocd/commit/6545481e7b36817dd6033bf614585a8db242070d | URL:https://github.com/gocd/gocd/commit/6545481e7b36817dd6033bf614585a8db242070d | MISC:https://github.com/gocd/gocd/releases/tag/23.1.0 | URL:https://github.com/gocd/gocd/releases/tag/23.1.0 | MISC:https://github.com/gocd/gocd/security/advisories/GHSA-p95w-gh78-qjmv | URL:https://github.com/gocd/gocd/security/advisories/GHSA-p95w-gh78-qjmv | MISC:https://www.gocd.org/releases/#23-1-0 | URL:https://www.gocd.org/releases/#23-1-0";Assigned (20230320);"None (candidate not yet proposed)";"" 23.1.0;23;1;0;CVE-2023-28630;Candidate;"GoCD is an open source continuous delivery server. In GoCD versions from 20.5.0 and below 23.1.0; if the server environment is not correctly configured by administrators to provide access to the relevant PostgreSQL or MySQL backup tools; the credentials for database access may be unintentionally leaked to admin alerts on the GoCD user interface. The vulnerability is triggered only if the GoCD server host is misconfigured to have backups enabled; but does not have access to the `pg_dump` or `mysqldump` utility tools to backup the configured database type (PostgreSQL or MySQL respectively). In such cases; failure to launch the expected backup utility reports the shell environment used to attempt to launch in the server admin alert; which includes the plaintext database password supplied to the configured tool. This vulnerability does not affect backups of the default on-disk H2 database that GoCD is configured to use. This issue has been addressed and fixed in GoCD 23.1.0. Users are advised to upgrade. Users unable to upgrade may disable backups; or administrators should ensure that the required `pg_dump` (PostgreSQL) or `mysqldump` (MySQL) binaries are available on the GoCD server when backups are triggered.";"MISC:https://github.com/gocd/gocd/commit/6545481e7b36817dd6033bf614585a8db242070d | URL:https://github.com/gocd/gocd/commit/6545481e7b36817dd6033bf614585a8db242070d | MISC:https://github.com/gocd/gocd/releases/tag/23.1.0 | URL:https://github.com/gocd/gocd/releases/tag/23.1.0 | MISC:https://github.com/gocd/gocd/security/advisories/GHSA-p95w-gh78-qjmv | URL:https://github.com/gocd/gocd/security/advisories/GHSA-p95w-gh78-qjmv | MISC:https://www.gocd.org/releases/#23-1-0 | URL:https://www.gocd.org/releases/#23-1-0";Assigned (20230320);"None (candidate not yet proposed)";"" 16.0.2;16;0;2;CVE-2023-29195;Candidate;"Vitess is a database clustering system for horizontal scaling of MySQL through generalized sharding. Prior to version 16.0.2; users can either intentionally or inadvertently create a shard containing `/` characters from VTAdmin such that from that point on; anyone who tries to create a new shard from VTAdmin will receive an error. Attempting to view the keyspace(s) will also no longer work. Creating a shard using `vtctldclient` does not have the same problem because the CLI validates the input correctly. Version 16.0.2; corresponding to version 0.16.2 of the `go` module; contains a patch for this issue. Some workarounds are available. Always use `vtctldclient` to create shards; instead of using VTAdmin; disable creating shards from VTAdmin using RBAC; and/or delete the topology record for the offending shard using the client for your topology server.";"MISC:https://github.com/vitessio/vitess/commit/9dcbd7de3180f47e94f54989fb5c66daea00c920 | URL:https://github.com/vitessio/vitess/commit/9dcbd7de3180f47e94f54989fb5c66daea00c920 | MISC:https://github.com/vitessio/vitess/issues/12842 | URL:https://github.com/vitessio/vitess/issues/12842 | MISC:https://github.com/vitessio/vitess/pull/12843 | URL:https://github.com/vitessio/vitess/pull/12843 | MISC:https://github.com/vitessio/vitess/releases/tag/v16.0.2 | URL:https://github.com/vitessio/vitess/releases/tag/v16.0.2 | MISC:https://github.com/vitessio/vitess/security/advisories/GHSA-pqj7-jx24-wj7w | URL:https://github.com/vitessio/vitess/security/advisories/GHSA-pqj7-jx24-wj7w | MISC:https://pkg.go.dev/vitess.io/vitess@v0.16.2 | URL:https://pkg.go.dev/vitess.io/vitess@v0.16.2";Assigned (20230403);"None (candidate not yet proposed)";"" 0.16.2;0;16;2;CVE-2023-29195;Candidate;"Vitess is a database clustering system for horizontal scaling of MySQL through generalized sharding. Prior to version 16.0.2; users can either intentionally or inadvertently create a shard containing `/` characters from VTAdmin such that from that point on; anyone who tries to create a new shard from VTAdmin will receive an error. Attempting to view the keyspace(s) will also no longer work. Creating a shard using `vtctldclient` does not have the same problem because the CLI validates the input correctly. Version 16.0.2; corresponding to version 0.16.2 of the `go` module; contains a patch for this issue. Some workarounds are available. Always use `vtctldclient` to create shards; instead of using VTAdmin; disable creating shards from VTAdmin using RBAC; and/or delete the topology record for the offending shard using the client for your topology server.";"MISC:https://github.com/vitessio/vitess/commit/9dcbd7de3180f47e94f54989fb5c66daea00c920 | URL:https://github.com/vitessio/vitess/commit/9dcbd7de3180f47e94f54989fb5c66daea00c920 | MISC:https://github.com/vitessio/vitess/issues/12842 | URL:https://github.com/vitessio/vitess/issues/12842 | MISC:https://github.com/vitessio/vitess/pull/12843 | URL:https://github.com/vitessio/vitess/pull/12843 | MISC:https://github.com/vitessio/vitess/releases/tag/v16.0.2 | URL:https://github.com/vitessio/vitess/releases/tag/v16.0.2 | MISC:https://github.com/vitessio/vitess/security/advisories/GHSA-pqj7-jx24-wj7w | URL:https://github.com/vitessio/vitess/security/advisories/GHSA-pqj7-jx24-wj7w | MISC:https://pkg.go.dev/vitess.io/vitess@v0.16.2 | URL:https://pkg.go.dev/vitess.io/vitess@v0.16.2";Assigned (20230403);"None (candidate not yet proposed)";"" 0.3.0;0;3;0;CVE-2023-31847;Candidate;"In davinci 0.3.0-rc after logging in; the user can connect to the mysql malicious server by controlling the data source to read arbitrary files on the client side.";"MISC:https://github.com/edp963/davinci/issues/2326";Assigned (20230429);"None (candidate not yet proposed)";"" -21.0.5;21;0;5;CVE-2023-34362;Candidate;"In Progress MOVEit Transfer before 2021.0.6 (13.0.6); 2021.1.4 (13.1.4); 2022.0.4 (14.0.4); 2022.1.5 (14.1.5); and 2023.0.1 (15.0.1); a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g.; 2020.0 and 2019x) before the five explicitly mentioned versions are affected; including older unsupported versions.";"MISC:https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023";Assigned (20230602);"None (candidate not yet proposed)";"" -13.0.5;13;0;5;CVE-2023-34362;Candidate;"In Progress MOVEit Transfer before 2021.0.6 (13.0.6); 2021.1.4 (13.1.4); 2022.0.4 (14.0.4); 2022.1.5 (14.1.5); and 2023.0.1 (15.0.1); a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g.; 2020.0 and 2019x) before the five explicitly mentioned versions are affected; including older unsupported versions.";"MISC:https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023";Assigned (20230602);"None (candidate not yet proposed)";"" -21.1.3;21;1;3;CVE-2023-34362;Candidate;"In Progress MOVEit Transfer before 2021.0.6 (13.0.6); 2021.1.4 (13.1.4); 2022.0.4 (14.0.4); 2022.1.5 (14.1.5); and 2023.0.1 (15.0.1); a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g.; 2020.0 and 2019x) before the five explicitly mentioned versions are affected; including older unsupported versions.";"MISC:https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023";Assigned (20230602);"None (candidate not yet proposed)";"" -13.1.3;13;1;3;CVE-2023-34362;Candidate;"In Progress MOVEit Transfer before 2021.0.6 (13.0.6); 2021.1.4 (13.1.4); 2022.0.4 (14.0.4); 2022.1.5 (14.1.5); and 2023.0.1 (15.0.1); a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g.; 2020.0 and 2019x) before the five explicitly mentioned versions are affected; including older unsupported versions.";"MISC:https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023";Assigned (20230602);"None (candidate not yet proposed)";"" -22.0.3;22;0;3;CVE-2023-34362;Candidate;"In Progress MOVEit Transfer before 2021.0.6 (13.0.6); 2021.1.4 (13.1.4); 2022.0.4 (14.0.4); 2022.1.5 (14.1.5); and 2023.0.1 (15.0.1); a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g.; 2020.0 and 2019x) before the five explicitly mentioned versions are affected; including older unsupported versions.";"MISC:https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023";Assigned (20230602);"None (candidate not yet proposed)";"" -14.0.3;14;0;3;CVE-2023-34362;Candidate;"In Progress MOVEit Transfer before 2021.0.6 (13.0.6); 2021.1.4 (13.1.4); 2022.0.4 (14.0.4); 2022.1.5 (14.1.5); and 2023.0.1 (15.0.1); a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g.; 2020.0 and 2019x) before the five explicitly mentioned versions are affected; including older unsupported versions.";"MISC:https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023";Assigned (20230602);"None (candidate not yet proposed)";"" -22.1.4;22;1;4;CVE-2023-34362;Candidate;"In Progress MOVEit Transfer before 2021.0.6 (13.0.6); 2021.1.4 (13.1.4); 2022.0.4 (14.0.4); 2022.1.5 (14.1.5); and 2023.0.1 (15.0.1); a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g.; 2020.0 and 2019x) before the five explicitly mentioned versions are affected; including older unsupported versions.";"MISC:https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023";Assigned (20230602);"None (candidate not yet proposed)";"" -14.1.4;14;1;4;CVE-2023-34362;Candidate;"In Progress MOVEit Transfer before 2021.0.6 (13.0.6); 2021.1.4 (13.1.4); 2022.0.4 (14.0.4); 2022.1.5 (14.1.5); and 2023.0.1 (15.0.1); a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g.; 2020.0 and 2019x) before the five explicitly mentioned versions are affected; including older unsupported versions.";"MISC:https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023";Assigned (20230602);"None (candidate not yet proposed)";"" -23.0.0;23;0;0;CVE-2023-34362;Candidate;"In Progress MOVEit Transfer before 2021.0.6 (13.0.6); 2021.1.4 (13.1.4); 2022.0.4 (14.0.4); 2022.1.5 (14.1.5); and 2023.0.1 (15.0.1); a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g.; 2020.0 and 2019x) before the five explicitly mentioned versions are affected; including older unsupported versions.";"MISC:https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023";Assigned (20230602);"None (candidate not yet proposed)";"" -15.0.0;15;0;0;CVE-2023-34362;Candidate;"In Progress MOVEit Transfer before 2021.0.6 (13.0.6); 2021.1.4 (13.1.4); 2022.0.4 (14.0.4); 2022.1.5 (14.1.5); and 2023.0.1 (15.0.1); a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g.; 2020.0 and 2019x) before the five explicitly mentioned versions are affected; including older unsupported versions.";"MISC:https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023";Assigned (20230602);"None (candidate not yet proposed)";"" +21.0.5;21;0;5;CVE-2023-34362;Candidate;"In Progress MOVEit Transfer before 2021.0.6 (13.0.6); 2021.1.4 (13.1.4); 2022.0.4 (14.0.4); 2022.1.5 (14.1.5); and 2023.0.1 (15.0.1); a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g.; 2020.0 and 2019x) before the five explicitly mentioned versions are affected; including older unsupported versions.";"MISC:http://packetstormsecurity.com/files/172883/MOVEit-Transfer-SQL-Injection-Remote-Code-Execution.html | MISC:http://packetstormsecurity.com/files/173110/MOVEit-SQL-Injection.html | MISC:https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023";Assigned (20230602);"None (candidate not yet proposed)";"" +13.0.5;13;0;5;CVE-2023-34362;Candidate;"In Progress MOVEit Transfer before 2021.0.6 (13.0.6); 2021.1.4 (13.1.4); 2022.0.4 (14.0.4); 2022.1.5 (14.1.5); and 2023.0.1 (15.0.1); a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g.; 2020.0 and 2019x) before the five explicitly mentioned versions are affected; including older unsupported versions.";"MISC:http://packetstormsecurity.com/files/172883/MOVEit-Transfer-SQL-Injection-Remote-Code-Execution.html | MISC:http://packetstormsecurity.com/files/173110/MOVEit-SQL-Injection.html | MISC:https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023";Assigned (20230602);"None (candidate not yet proposed)";"" +21.1.3;21;1;3;CVE-2023-34362;Candidate;"In Progress MOVEit Transfer before 2021.0.6 (13.0.6); 2021.1.4 (13.1.4); 2022.0.4 (14.0.4); 2022.1.5 (14.1.5); and 2023.0.1 (15.0.1); a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g.; 2020.0 and 2019x) before the five explicitly mentioned versions are affected; including older unsupported versions.";"MISC:http://packetstormsecurity.com/files/172883/MOVEit-Transfer-SQL-Injection-Remote-Code-Execution.html | MISC:http://packetstormsecurity.com/files/173110/MOVEit-SQL-Injection.html | MISC:https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023";Assigned (20230602);"None (candidate not yet proposed)";"" +13.1.3;13;1;3;CVE-2023-34362;Candidate;"In Progress MOVEit Transfer before 2021.0.6 (13.0.6); 2021.1.4 (13.1.4); 2022.0.4 (14.0.4); 2022.1.5 (14.1.5); and 2023.0.1 (15.0.1); a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g.; 2020.0 and 2019x) before the five explicitly mentioned versions are affected; including older unsupported versions.";"MISC:http://packetstormsecurity.com/files/172883/MOVEit-Transfer-SQL-Injection-Remote-Code-Execution.html | MISC:http://packetstormsecurity.com/files/173110/MOVEit-SQL-Injection.html | MISC:https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023";Assigned (20230602);"None (candidate not yet proposed)";"" +22.0.3;22;0;3;CVE-2023-34362;Candidate;"In Progress MOVEit Transfer before 2021.0.6 (13.0.6); 2021.1.4 (13.1.4); 2022.0.4 (14.0.4); 2022.1.5 (14.1.5); and 2023.0.1 (15.0.1); a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g.; 2020.0 and 2019x) before the five explicitly mentioned versions are affected; including older unsupported versions.";"MISC:http://packetstormsecurity.com/files/172883/MOVEit-Transfer-SQL-Injection-Remote-Code-Execution.html | MISC:http://packetstormsecurity.com/files/173110/MOVEit-SQL-Injection.html | MISC:https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023";Assigned (20230602);"None (candidate not yet proposed)";"" +14.0.3;14;0;3;CVE-2023-34362;Candidate;"In Progress MOVEit Transfer before 2021.0.6 (13.0.6); 2021.1.4 (13.1.4); 2022.0.4 (14.0.4); 2022.1.5 (14.1.5); and 2023.0.1 (15.0.1); a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g.; 2020.0 and 2019x) before the five explicitly mentioned versions are affected; including older unsupported versions.";"MISC:http://packetstormsecurity.com/files/172883/MOVEit-Transfer-SQL-Injection-Remote-Code-Execution.html | MISC:http://packetstormsecurity.com/files/173110/MOVEit-SQL-Injection.html | MISC:https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023";Assigned (20230602);"None (candidate not yet proposed)";"" +22.1.4;22;1;4;CVE-2023-34362;Candidate;"In Progress MOVEit Transfer before 2021.0.6 (13.0.6); 2021.1.4 (13.1.4); 2022.0.4 (14.0.4); 2022.1.5 (14.1.5); and 2023.0.1 (15.0.1); a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g.; 2020.0 and 2019x) before the five explicitly mentioned versions are affected; including older unsupported versions.";"MISC:http://packetstormsecurity.com/files/172883/MOVEit-Transfer-SQL-Injection-Remote-Code-Execution.html | MISC:http://packetstormsecurity.com/files/173110/MOVEit-SQL-Injection.html | MISC:https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023";Assigned (20230602);"None (candidate not yet proposed)";"" +14.1.4;14;1;4;CVE-2023-34362;Candidate;"In Progress MOVEit Transfer before 2021.0.6 (13.0.6); 2021.1.4 (13.1.4); 2022.0.4 (14.0.4); 2022.1.5 (14.1.5); and 2023.0.1 (15.0.1); a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g.; 2020.0 and 2019x) before the five explicitly mentioned versions are affected; including older unsupported versions.";"MISC:http://packetstormsecurity.com/files/172883/MOVEit-Transfer-SQL-Injection-Remote-Code-Execution.html | MISC:http://packetstormsecurity.com/files/173110/MOVEit-SQL-Injection.html | MISC:https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023";Assigned (20230602);"None (candidate not yet proposed)";"" +23.0.0;23;0;0;CVE-2023-34362;Candidate;"In Progress MOVEit Transfer before 2021.0.6 (13.0.6); 2021.1.4 (13.1.4); 2022.0.4 (14.0.4); 2022.1.5 (14.1.5); and 2023.0.1 (15.0.1); a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g.; 2020.0 and 2019x) before the five explicitly mentioned versions are affected; including older unsupported versions.";"MISC:http://packetstormsecurity.com/files/172883/MOVEit-Transfer-SQL-Injection-Remote-Code-Execution.html | MISC:http://packetstormsecurity.com/files/173110/MOVEit-SQL-Injection.html | MISC:https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023";Assigned (20230602);"None (candidate not yet proposed)";"" +15.0.0;15;0;0;CVE-2023-34362;Candidate;"In Progress MOVEit Transfer before 2021.0.6 (13.0.6); 2021.1.4 (13.1.4); 2022.0.4 (14.0.4); 2022.1.5 (14.1.5); and 2023.0.1 (15.0.1); a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL; Microsoft SQL Server; or Azure SQL); an attacker may be able to infer information about the structure and contents of the database; and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g.; 2020.0 and 2019x) before the five explicitly mentioned versions are affected; including older unsupported versions.";"MISC:http://packetstormsecurity.com/files/172883/MOVEit-Transfer-SQL-Injection-Remote-Code-Execution.html | MISC:http://packetstormsecurity.com/files/173110/MOVEit-SQL-Injection.html | MISC:https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023";Assigned (20230602);"None (candidate not yet proposed)";"" 2.37.0;2;37;0;CVE-2023-34409;Candidate;"In Percona Monitoring and Management (PMM) server 2.x before 2.37.1; the authenticate function in auth_server.go does not properly formalize and sanitize URL paths to reject path traversal attempts. This allows an unauthenticated remote user; when a crafted POST request is made against unauthenticated API routes; to access otherwise protected API routes leading to escalation of privileges and information disclosure.";"MISC:https://www.percona.com/blog/pmm-authentication-bypass-vulnerability-fixed-in-2-37-1/";Assigned (20230605);"None (candidate not yet proposed)";""