CVE-2024-21272
takeover vulnerability in mysql-connector-python (PyPI)
What is CVE-2024-21272 About?
This vulnerability affects Oracle MySQL's Connector/Python, allowing a low-privileged attacker to achieve full takeover of affected MySQL Connectors. Exploitation is difficult but can lead to complete compromise of the connector's functionality. The impact spans confidentiality, integrity, and availability.
Affected Software
Technical Details
The vulnerability lies within the MySQL Connectors product, specifically the Connector/Python component in versions 9.0.0 and prior. A low-privileged attacker, possessing network access across multiple protocols, can leverage this difficult-to-exploit flaw. The successful exploitation mechanism likely involves manipulating the communication or data flow within the connector via these protocols, leading to an escalated privilege state or direct code execution that grants the attacker full control over the MySQL Connector, effectively achieving a takeover.
What is the Impact of CVE-2024-21272?
Successful exploitation may allow attackers to compromise client systems, steal sensitive data, disrupt database operations, and gain unauthorized control over affected MySQL Connectors.
What is the Exploitability of CVE-2024-21272?
Exploitation of this vulnerability is considered difficult, requiring a low-privileged attacker with network access via multiple protocols. There are no specific authentication requirements beyond the low-privileged access. The attacker must access the network where the MySQL Connector operates, indicating remote exploitability. Due to its complexity, the likelihood of exploitation may be lower without sophisticated attack techniques or highly specific environmental conditions. Risk factors that could increase exploitation likelihood include misconfigured network access controls or insufficient monitoring of network traffic to/from the connector.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-21272?
Available Upgrade Options
- mysql-connector-python
- <9.1.0 → Upgrade to 9.1.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2024-21272
- https://www.oracle.com/security-alerts/cpuoct2024.html
- https://github.com/mysql/mysql-connector-python
- https://osv.dev/vulnerability/GHSA-hgjp-83m4-h4fj
- https://github.com/mysql/mysql-connector-python/commit/e6b927af06e8a85bd3754f602df96a5592b4558c
- https://www.oracle.com/security-alerts/cpuoct2024.html
What are Similar Vulnerabilities to CVE-2024-21272?
Similar Vulnerabilities: CVE-2023-21963 , CVE-2023-21957 , CVE-2022-21448 , CVE-2022-21396 , CVE-2022-21245
