Oracle MySQL 5.7.x < 5.7.12 Multiple Vulnerabilities

Medium Nessus Network Monitor Plugin ID 9615


The remote database server is vulnerable to multiple attack vectors.


The version of MySQL installed on the remote host is version 5.7.x prior to 5.7.12 and is affected by multiple issues :

- A flaw exists related to certificate validation. The issue is due to the server hostname not being verified to match a domain name in the X.509 certificate. By spoofing the TLS/SSL server via a certificate that appears valid, an attacker with the ability to intercept network traffic (e.g. MitM, DNS cache poisoning) can disclose and optionally manipulate transmitted data.
- An integer overflow condition exists that is triggered as user-supplied input is not properly validated when handling client handshake processing. This may allow an authenticated attacker to cause the server to exit.
- A flaw exists that is due to overly verbose error messages returning part of the SQL statement that produced them. This may allow an authenticated attacker to gain access to potentially sensitive information.
- A flaw exists in InnoDB that is triggered during the handling of an 'ALTER TABLE' or 'ADD COLUMN' operation on a table with virtual columns. This may allow an authenticated attacker to crash the server.


Upgrade to MySQL 5.7.12 or later.

See Also

Plugin Details

Severity: Medium

ID: 9615

Family: Database

Published: 2016/09/30

Updated: 2019/03/06

Dependencies: 8914

Nessus ID: 90684

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 6.8

Temporal Score: 5.6

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSS v3.0

Base Score: 6.5

Temporal Score: 6

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:oracle:mysql

Patch Publication Date: 2016/04/11

Vulnerability Publication Date: 2016/04/11

Reference Information

CVE: CVE-2016-2047