CVE-2021-2471: Incorrect Authorization in MySQL Connector Java
5.9
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.98034%
CWE
Published
5/24/2022
Updated
1/27/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| mysql:mysql-connector-java | maven | >= 8.0.0, <= 8.0.26 | 8.0.27 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability (CWE-863) relates to incorrect authorization in MySQL Connector/J. The authentication handshake process is a critical point where authorization checks occur. The function 'proceedHandshakeWithPluggableAuthentication' is central to MySQL's pluggable authentication mechanism. A flaw here could allow a privileged attacker to exploit network communication (via JDBC) to bypass proper authorization checks. The CVSS vector (AV:N/AC:H/PR:H) aligns with a network-accessible, high-privilege attack targeting authentication logic. This function's role in the authentication flow makes it a high-confidence candidate for the vulnerability.