CVE Vulnerability

CVE-2022-31026

Trilogy is a client library for MySQL. When authenticating, a malicious server could return a specially crafted authentication packet, causing the client to read and return up to 12 bytes of data from an uninitialized variable in stack memory. Users of the trilogy gem should upgrade to version 2.1.1 This issue can be avoided by only connecting to trusted servers.

5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 10 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

Scope

7.5 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/github/trilogy/security/advisories/GHSA-5g4r-2qhx-vqfm Third Party Advisory
https://github.com/github/trilogy/commit/6bed62789eaf119902b0fe247d2a91d56c31a962 Patch Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:trilogy_project:trilogy:*:*:*:*:*:ruby:*:*
Information

Published : 2022-06-09 01:15

Updated : 2022-06-15 06:26

NVD link : CVE-2022-31026

Mitre link : CVE-2022-31026

Products Affected
No products.
CWE
CWE-908