今天我把自己的SpringBoot项目上传到了GitHub,于是murphysec安全扫描平台扫描到了我的代码安全问题,如下
漏洞标题:Oracle MySQL Connectors组件访问控制错误漏洞漏洞编号:CVE-2018-3258漏洞描述:Oracle MySQL是美国甲骨文(Oracle)公司的一套开源的关系数据库管理系统。该数据库系统具有性能高、成本低、可靠性好等特点。MySQL Connectors是其中的一个连接使用MySQL的应用程序的驱动程序。Oracle MySQL中的MySQL Connectors组件8.0.12及之前版本的Connector/J子组件存在安全漏洞。攻击者可利用该漏洞控制组件,影响数据的保密性、完整性和可用性。国家漏洞库信息:https://www.cnvd.org.cn/flaw/show/CNVD-2019-39877漏洞级别:高危影响范围:(-∞, 8.0.13)最小修复版本:8.0.13引入路径:mysql:mysql-connector-java@
国家漏洞库信息:https://www.cnvd.org.cn/flaw/show/CNVD-2019-39877 具体漏洞信息:NVD - CVE-2021-2471
CVE-2021-2471 Detail Current Description Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J)、Supported versions that are affected are 8.0.26 and prior、Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors、Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors、CVSS 3.1 base Score 5.9 (Confidentiality and Availability impacts)、CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H).
上述话翻译成人话就是:Oracle MySQL的MySQL连接器产品(组件:Connector/J)存在漏洞。受影响的支持版本为8.0.26及之前的版本。难以利用的漏洞允许具有网络访问权的高权限攻击者通过多种协议破坏MySQL连接器。成功攻击该漏洞可导致未经授权访问关键数据或完全访问所有MySQL连接器的可访问数据,以及未经授权导致MySQL连接器挂起或经常重复崩溃(完全DOS)的能力。
Oracle MySQL 的Connector/J JDBC驱动 < 8.0.27版本在处理XML数据时存在外部实体注入漏洞(XXE),可能导致敏感数据泄漏。 漏洞原因: MySQL Connector/J 8.0.27版本之前,MysqlSQLXML中的getSource()方法未对传入的XML数据做校验,导致攻击者可以在XML数据中引入外部实体,造成XXE攻击。
为此我还找到了近些年(2018年)漏洞排行Oracle MySQL Risk Matrix, 此Connector/J漏洞排行第三
原漏洞排行链接:Oracle Critical Patch Update - October 2018
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? | CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | base Score | Attack Vector | Attack Complex | PrivsReq'd | User Interact | Scope | Confidentiality | Integrity | Availability | CVE-2018-11776 | MySQL Enterprise MonitorMonitoring: General (Apache Struts 2)HTTPYes9.8NetworkLowNoneNoneUn- changedHighHighHigh3.4.9.4237 and prior, 4.0.6.5281 and prior, 8.0.2.8191 and prior
CVE-2018-8014 | MySQL Enterprise MonitorMonitoring: General (Apache Tomcat)HTTPYes9.8NetworkLowNoneNoneUn- changedHighHighHigh3.4.9.4237 and prior, 4.0.6.5281 and prior, 8.0.2.8191 and prior
CVE-2018-3258 | MySQL ConnectorsConnector/JX ProtocolNo8.8NetworkLowLowNoneUn- changedHighHighHigh8.0.12 and prior
CVE-2018-1258 | MySQL Enterprise MonitorMonitoring: General (Spring framework)HTTPNo8.8NetworkLowLowNoneUn- changedHighHighHigh3.4.9.4237 and prior, 4.0.6.5281 and prior, 8.0.2.8191 and prior
CVE-2016-9843 | MySQL ServerInnoDB (zlib)MySQL ProtocolNo8.8NetworkLowLowNoneUn- changedHighHighHigh5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3155 | MySQL ServerServer: ParserMySQL ProtocolNo7.7NetworkLowLowNoneChangedNoneNoneHigh5.7.23 and prior, 8.0.12 and prior
CVE-2018-3143 | MySQL ServerInnoDBMySQL ProtocolNo6.5NetworkLowLowNoneUn- changedNoneNoneHigh5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3156 | MySQL ServerInnoDBMySQL ProtocolNo6.5NetworkLowLowNoneUn- changedNoneNoneHigh5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3251 | MySQL ServerInnoDBMySQL ProtocolNo6.5NetworkLowLowNoneUn- changedNoneNoneHigh5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3182 | MySQL ServerServer: DMLMySQL ProtocolNo6.5NetworkLowLowNoneUn- changedNoneNoneHigh8.0.12 and prior
CVE-2018-3137 | MySQL ServerServer: OptimizerMySQL ProtocolNo6.5NetworkLowLowNoneUn- changedNoneNoneHigh8.0.12 and prior
CVE-2018-3203 | MySQL ServerServer: OptimizerMySQL ProtocolNo6.5NetworkLowLowNoneUn- changedNoneNoneHigh8.0.12 and prior
CVE-2018-3133 | MySQL ServerServer: ParserMySQL ProtocolNo6.5NetworkLowLowNoneUn- changedNoneNoneHigh5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3145 | MySQL ServerServer: ParserMySQL ProtocolNo6.5NetworkLowLowNoneUn- changedNoneNoneHigh8.0.12 and prior
CVE-2018-3144 | MySQL ServerServer: Security: AuditMySQL ProtocolYes5.9NetworkHighNoneNoneUn- changedNoneNoneHigh5.7.23 and prior, 8.0.12 and prior
CVE-2018-3185 | MySQL ServerInnoDBMySQL ProtocolNo5.5NetworkLowHighNoneUn- changedNoneLowHigh5.7.23 and prior, 8.0.12 and prior
CVE-2018-3195 | MySQL ServerServer: DDLMySQL ProtocolNo5.5NetworkLowHighNoneUn- changedNoneLowHigh8.0.12 and prior
CVE-2018-3247 | MySQL ServerServer: MergeMySQL ProtocolNo5.5NetworkLowHighNoneUn- changedNoneLowHigh5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3187 | MySQL ServerServer: OptimizerMySQL ProtocolNo5.5NetworkLowHighNoneUn- changedNoneLowHigh5.7.23 and prior, 8.0.12 and prior
CVE-2018-3174 | MySQL ServerClient programsMySQL ProtocolNo5.3LocalHighHighNoneChangedNoneNoneHigh5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3171 | MySQL ServerServer: PartitionMySQL ProtocolNo5.0NetworkHighHighNoneUn- changedNoneLowHigh5.7.23 and prior, 8.0.12 and prior
CVE-2018-3277 | MySQL ServerInnoDBMySQL ProtocolNo4.9NetworkLowHighNoneUn- changedNoneNoneHigh5.7.23 and prior, 8.0.12 and prior
CVE-2018-3162 | MySQL ServerInnoDBMySQL ProtocolNo4.9NetworkLowHighNoneUn- changedNoneNoneHigh5.7.23 and prior, 8.0.12 and prior
CVE-2018-3173 | MySQL ServerInnoDBMySQL ProtocolNo4.9NetworkLowHighNoneUn- changedNoneNoneHigh5.7.23 and prior, 8.0.12 and prior
CVE-2018-3200 | MySQL ServerInnoDBMySQL ProtocolNo4.9NetworkLowHighNoneUn- changedNoneNoneHigh5.7.23 and prior, 8.0.12 and prior
CVE-2018-3170 | MySQL ServerServer: DDLMySQL ProtocolNo4.9NetworkLowHighNoneUn- changedNoneNoneHigh8.0.12 and prior
CVE-2018-3212 | MySQL ServerServer: Information SchemaMySQL ProtocolNo4.9NetworkLowHighNoneUn- changedNoneNoneHigh8.0.12 and prior
CVE-2018-3280 | MySQL ServerServer: JSONMySQL ProtocolNo4.9NetworkLowHighNoneUn- changedNoneNoneHigh8.0.12 and prior
CVE-2018-3276 | MySQL ServerServer: MemcachedMySQL ProtocolNo4.9NetworkLowHighNoneUn- changedNoneNoneHigh5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3186 | MySQL ServerServer: OptimizerMySQL ProtocolNo4.9NetworkLowHighNoneUn- changedNoneNoneHigh8.0.12 and prior
CVE-2018-3161 | MySQL ServerServer: PartitionMySQL ProtocolNo4.9NetworkLowHighNoneUn- changedNoneNoneHigh5.7.23 and prior, 8.0.12 and prior
CVE-2018-3278 | MySQL ServerServer: RBRMySQL ProtocolNo4.9NetworkLowHighNoneUn- changedNoneNoneHigh5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3279 | MySQL ServerServer: Security: RolesMySQL ProtocolNo4.9NetworkLowHighNoneUn- changedNoneNoneHigh8.0.12 and prior
CVE-2018-3282 | MySQL ServerServer: Storage EnginesMySQL ProtocolNo4.9NetworkLowHighNoneUn- changedNoneNoneHigh5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3285 | MySQL ServerServer: WindowsMySQL ProtocolNo4.9NetworkLowHighNoneUn- changedNoneNoneHigh8.0.12 and prior
CVE-2018-3284 | MySQL ServerInnoDBMySQL ProtocolNo4.4NetworkHighHighNoneUn- changedNoneNoneHigh5.7.23 and prior, 8.0.12 and prior
CVE-2018-3283 | MySQL ServerServer: LoggingMySQL ProtocolNo4.4NetworkHighHighNoneUn- changedNoneNoneHigh5.7.23 and prior, 8.0.12 and prior
CVE-2018-3286 | MySQL ServerServer: Security: PrivilegesMySQL ProtocolNo4.3NetworkLowLowNoneUn- changedNoneLowNone8.0.12 and prior