CVE-2019-2435
Authorization Bypass vulnerability in mysql-connector-python (PyPI)
What is CVE-2019-2435 About?
This is an Authorization Bypass vulnerability in Oracle MySQL Connectors (Connector/Python), allowing unauthorized data access, modification, or deletion. It is easily exploitable via TLS by an unauthenticated attacker, but requires human interaction from a non-attacker.
Affected Software
- mysql-connector-python
- >2.1.0, <=2.1.8
- >8.0.0, <8.0.19
Technical Details
The vulnerability resides in the MySQL Connectors component, specifically Connector/Python versions 8.0.13 and prior, and 2.1.8 and prior. It is an authorization bypass that is easily exploitable over a network via TLS. An unauthenticated attacker can leverage this flaw to gain unauthorized access to or perform unauthorized modifications/deletions of critical data managed by MySQL Connectors. The successful attack vector requires human interaction from a person other than the attacker. This suggests a social engineering component or a requirement for a legitimate user to perform an action (e.g., connect to a malicious database, accept a compromised certificate) that facilitates the attacker's unauthorized access, likely by tricking the client application into misconfiguring its connection or trust settings due to the vulnerability.
What is the Impact of CVE-2019-2435?
Successful exploitation may allow attackers to gain unauthorized access to critical data, perform unauthorized creation, deletion or modification of data, and compromise data confidentiality and integrity.
What is the Exploitability of CVE-2019-2435?
Exploitation is easy but requires human interaction. An unauthenticated attacker can exploit this remotely via TLS. The attack relies on a user (other than the attacker) performing an action, suggesting social engineering or tricking a user into connecting to a malicious server or accepting a compromised configuration. No specific privileges are mentioned, but the attacker would need network access to the target. The risk factor for exploitation increases when users are less vigilant about connection security or connect to untrusted databases. The low skill requirement for the attacker is offset by the human interaction prerequisite.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-2435?
Available Upgrade Options
- mysql-connector-python
- >8.0.0, <8.0.19 → Upgrade to 8.0.19
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00053.html
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00053.html
- http://www.securityfocus.com/bid/106616
- http://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00044.html
- https://nvd.nist.gov/vuln/detail/CVE-2019-2435
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00044.html
- http://www.securityfocus.com/bid/106616
- https://github.com/mysql/mysql-connector-python
- http://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
What are Similar Vulnerabilities to CVE-2019-2435?
Similar Vulnerabilities: CVE-2021-35607 , CVE-2022-21449 , CVE-2022-21473 , CVE-2023-21931 , CVE-2023-21966
