Independent researcher spots unpatched MySQL vulnerability
The flaws affect all MySQL servers in default configuration in all version branches.
Information security researcher Dawid Golunski spotted several critical vulnerabilities in MySQL which could allow remote code execution and privilege escalation.
The flaws affect all MySQL servers in default configuration in all version branches (5.7, 5.6, and 5.5) including the latest versions and could potentially affect other web applications if a successful attack compromised the server which the affected MySQL service is running on, according to a Sept. 12 blog post.
The vulnerability can be exploited both locally and remotely and both the authenticated access to MySQL database and SQL Injection could be used as exploitation vectors, the blog said.
Golunski reported the issue to Oracle on July 29, 2016, as well as to other affected vendors including PerconaDB and MariaDB. The two vendors patched the vulnerability in their own platforms on Aug. 30 however, there has yet to be an official update.