CVE-2018-3258: Improper Privilege Management in MySQL Connectors Java
8.8
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.88714%
CWE
Published
5/13/2022
Updated
1/27/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
mysql:mysql-connector-java | maven | < 8.0.13 | 8.0.13 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from improper handling of asynchronous X Protocol messages when 'xdevapi.useAsyncProtocol' was enabled. Key indicators include:
- The default async protocol activation in PropertyDefinitions.java created an insecure code path
- AsyncMessageReader's message handling lifecycle (start->read->dispatch) lacked proper security validation
- TLS configuration in ExportControlled allowed weak ciphers when async was enabled
- The patch focused on hardening async message processing, adding validation layers, and disabling async by default These functions represent the core async message processing chain that would be active during exploitation when the vulnerable async protocol was enabled.