6.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-21363

GHSA ID

GHSA-g76j-4cxx-23h9

EPSS Score

0.50965%

CWE

CWE-280

Published

1/20/2022

Updated

1/27/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-21363

CVE-2022-21363: Improper Handling of Insufficient Permissions or Privileges in MySQL Connectors Java

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

(GitHub Advisory)

6.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-21363

GHSA ID

GHSA-g76j-4cxx-23h9

EPSS Score

0.50965%

CWE

CWE-280

Published

1/20/2022

Updated

1/27/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
mysql:mysql-connector-java	maven	<= 8.0.27	8.0.28

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from improper query classification for read-only connections. Key changes include:

ClientPreparedStatement's safety check moving from simple first character inspection to proper query type analysis
Enhanced query parsing logic in ParseInfo with new QueryReturnType enum
Replacement of string parsing utilities with more robust StringInspector These changes indicate the previous implementations had insufficient security checks that could be bypassed through query structure manipulation or comment exploitation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Vuln*r**ility in t** MySQL *onn**tors pro*u*t o* Or**l* MySQL (*ompon*nt: *onn**tor/J). Support** v*rsions t**t *r* *****t** *r* *.*.** *n* prior. *i**i*ult to *xploit vuln*r**ility *llows *i** privil**** *tt**k*r wit* n*twork ****ss vi* multipl* pro

Reasoning

T** vuln*r**ility st*mm** *rom improp*r qu*ry *l*ssi*i**tion *or r***-only *onn**tions. K*y ***n**s in*lu**: *. *li*ntPr*p*r**St*t*m*nt's s***ty ****k movin* *rom simpl* *irst ***r**t*r insp**tion to prop*r qu*ry typ* *n*lysis *. *n**n*** qu*ry p*rsi

6.6

Basic Information

Concerned about an active attack path?

CVE-2022-21363: Improper Handling of Insufficient Permissions or Privileges in MySQL Connectors Java

6.6

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI