CVE-2019-2435
Description
Unauthenticated TLS attacker can modify or read all data accessible to MySQL Connector/Python 8.0.13 and earlier or 2.1.8 and earlier via a human-interaction attack.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated TLS attacker can modify or read all data accessible to MySQL Connector/Python 8.0.13 and earlier or 2.1.8 and earlier via a human-interaction attack.
Vulnerability
CVE-2019-2435 is a high-severity vulnerability in the MySQL Connector/Python component of Oracle MySQL, affecting versions 8.0.13 and prior, as well as version 2.1.8 and prior [1]. The flaw resides in the Connector/Python subcomponent and is triggered during TLS network communication. It requires no authentication but depends on human interaction from a person other than the attacker, such as a victim clicking a link or opening a crafted file [1].
Exploitation
An unauthenticated attacker with network access can exploit this vulnerability via TLS, likely by performing a man-in-the-middle attack or delivering a malicious payload that the victim must interact with (e.g., accepting a certificate or opening a crafted connection string) [1]. The attack complexity is low, and no privileges are required, but successful exploitation depends on the victim taking a specific action [1].
Impact
Successful exploitation of CVE-2019-2435 results in both unauthorized access to read (confidentiality breach) and unauthorized creation, deletion, or modification (integrity breach) of all data accessible to the MySQL Connector/Python, including potentially critical data [1]. The CVSS 3.0 base score is 8.1 (High), with a vector string of AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N, indicating high impact on confidentiality and integrity, but no impact on availability [1].
Mitigation
Oracle has fixed this vulnerability in the Critical Patch Update (CPU) of January 2019. Users should upgrade to MySQL Connector/Python 8.0.14 or later, or to version 2.1.9 or later [1]. There is no known workaround, and applying the official patch is the only recommended mitigation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog as of the publication date.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mysql-connector-pythonPyPI | >= 8.0.0, < 8.0.19 | 8.0.19 |
mysql-connector-pythonPyPI | >= 2.1.0, <= 2.1.8 | — |
Affected products
5- ghsa-coords4 versionspkg:pypi/mysql-connector-pythonpkg:rpm/opensuse/python-mysql-connector-python&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/python-mysql-connector-python&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-mysql-connector-python&distro=SUSE%20Package%20Hub%2015%20SP1
>= 8.0.0, < 8.0.19+ 3 more
- (no CPE)range: >= 8.0.0, < 8.0.19
- (no CPE)range: < 8.0.19-lp151.3.3.1
- (no CPE)range: < 8.2.0-1.5
- (no CPE)range: < 8.0.19-bp151.4.3.1
- Range: 8.0.13 and prior
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- lists.opensuse.org/opensuse-security-announce/2020-03/msg00044.htmlghsavendor-advisoryx_refsource_SUSEWEB
- lists.opensuse.org/opensuse-security-announce/2020-03/msg00053.htmlghsavendor-advisoryx_refsource_SUSEWEB
- github.com/advisories/GHSA-v5rq-w2xm-7g5fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-2435ghsaADVISORY
- www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlghsax_refsource_CONFIRMWEB
- www.securityfocus.com/bid/106616ghsavdb-entryx_refsource_BIDWEB
- security.netapp.com/advisory/ntap-20190118-0002ghsaWEB
- security.netapp.com/advisory/ntap-20190118-0002/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.