Critical vulnerabilities have been found in one of the most popular databases i.e. MySQL.
David Golunski, a security researcher discovered two zero days, which allow an attacker to access the complete database. All the current supported versions of MySQL are vulnerable to this vulnerability.
- MySQL Remote Root Code Execution (CVE-2016-6662)
- Privilege Escalation (CVE-2016-6663)
Earlier David Golunski published exploit for CVE-2016-6662 at his blog. He reported this issue to Oracle but they didn’t fix it.
Golunski promised to publish exploit for another bug(CVE-2016-6663) too.
Both the vulnerabilities affect MySQL version 5.5.51 and earlier, MySQL version 5.6.32 and earlier, and MySQL version 5.7.14 and earlier, as well as MySQL forks – Percona Server and MariaDB.
Now Golunski has published the proof-of-concept exploit code for both the vulnerabilities.
The vulnerabilities have been fixed by their vendors and released a security patch for these.