CVE-2017-3590

Vulnerability

CVE-2017-3590 is a vulnerability in the MySQL Connectors component of Oracle MySQL, specifically in the Connector/Python subcomponent. Affected versions are 2.1.5 and earlier [1]. The issue allows a low-privileged attacker with logon access to the infrastructure where the connector executes to compromise the connector's integrity [1]. The CVSS v3.0 base score is 3.3, with a vector of AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, indicating a local attack with low complexity and no user interaction required [1].

Exploitation

To exploit this vulnerability, an attacker must have local access to the system running MySQL Connector/Python and possess low-level privileges [1]. The attack requires logon to the infrastructure, meaning the attacker must be able to execute code or commands on the machine where the connector is installed. No user interaction is needed, and the attack complexity is low [1]. The specific steps or mechanism of exploitation are not detailed in the available references.

Impact

Successful exploitation results in unauthorized update, insert, or delete operations on some of the data accessible through MySQL Connector/Python [1]. The impact is limited to integrity (no confidentiality or availability impact), and only some of the connector's accessible data is affected [1]. The attacker does not gain elevated privileges beyond their existing low-level access to the system.

Mitigation

Oracle has not provided a direct patch in the available references, but the vulnerability is addressed in MySQL Connector/Python version 2.1.6 and later [1][2]. Users should upgrade to a version newer than 2.1.5. As of the publication date (2017-04-24), the fixed version is available. No workarounds are documented in the referenced sources.