MySQL Forums
Forum List  »  MySQL Shell

Re: Vulnerabilities on python packages
Posted by: Abdullah Shahid
Date: September 08, 2023 07:29AM

Based on the information provided, it appears that the recent mysql-shell release for Linux does contain versions of the cryptography and setuptools Python packages that contain known vulnerabilities. Specifically:

The cryptography package versions included contain vulnerabilities CVE-2023-0286, CVE-2023-23931, and GHSA-5cpq-8wj7-hf2v. These allow for denial of service, information leaks, and other impacts if exploited.
The setuptools package version contains vulnerability CVE-2022-40897 which could allow arbitrary code execution if exploited.
Since mysql-shell relies on and bundles these specific Python package versions, it likely is affected by these vulnerabilities. Ideally, mysql-shell should update the bundled cryptography and setuptools packages to newer versions that contain fixes for these CVEs.

However, since these packages seem to be considered fixed requirements for the current release, mysql-shell may be limited in its ability to update them until a new version is released. As a workaround, users could potentially install newer versions of the Python packages separately on systems running mysql-shell, but that has tradeoffs as well.

Options: ReplyQuote

Written By
November 03, 2023 05:08AM
Re: Vulnerabilities on python packages
September 08, 2023 07:29AM

Sorry, only registered users may post in this forum.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.