Yaoguang Chen

**Name of the Vulnerable Software and Affected Versions** NSS versions prior to 3.73 or 3.68.1 ESR **Description** The issue is related to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS #7, or PKCS #12 are likely to be impacted. Email clients and PDF viewers that use NSS for signature verification, such as Thunderbird, LibreOffice, Evolution, and Evince, are believed to be impacted. The vulnerability may allow a remote attacker to execute arbitrary code. **Recommendations** For NSS versions prior to 3.73 or 3.68.1 ESR, update to version 3.73 or 3.68.1 ESR or later to resolve the issue. As a temporary workaround, consider disabling the use of DER-encoded DSA or RSA-PSS signatures until a patch is available. Restrict access to vulnerable applications, such as email clients and PDF viewers, to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MySQL Server versions 5.7.36 and prior MySQL Server versions 8.0.27 and prior **Description** The issue is related to errors in resource release in the MySQL Server product, specifically in the Server: Stored Procedure component. It allows a high-privileged attacker with network access via multiple protocols to compromise the MySQL Server. Successful attacks can result in the unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of the MySQL Server. **Recommendations** For MySQL Server versions 5.7.36 and prior, update to a version later than 5.7.36 to resolve the issue. For MySQL Server versions 8.0.27 and prior, update to a version later than 8.0.27 to resolve the issue. As a temporary workaround, consider restricting network access to the MySQL Server to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MySQL Server versions 5.7.36 and prior MySQL Server versions 8.0.27 and prior **Description** The issue is related to errors in resource release in the MySQL Server product, specifically in the Server: Parser component. It allows a high-privileged attacker with network access via multiple protocols to compromise the MySQL Server. Successful attacks can result in the unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of the MySQL Server. **Recommendations** For MySQL Server versions 5.7.36 and prior, update to a version later than 5.7.36 to resolve the issue. For MySQL Server versions 8.0.27 and prior, update to a version later than 8.0.27 to resolve the issue. As a temporary workaround, consider restricting network access to the MySQL Server to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Oracle MySQL versions 8.0.26 and prior Description: The issue allows a high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks can result in the unauthorized ability to cause a hang or frequently repeatable crash of MySQL Server. Recommendations: For versions 8.0.26 and prior, update to a version later than 8.0.26 to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Oracle MySQL versions 8.0.26 and prior Description: The issue allows a high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks can result in the unauthorized ability to cause a hang or frequently repeatable crash of MySQL Server. Recommendations: For versions 8.0.26 and prior, update to a version later than 8.0.26 to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Oracle Database Server versions 12.1.0.2, 12.2.0.1, 19c, 21c Description: The issue affects the Core RDBMS component, allowing a low-privileged attacker with Create Table privilege and network access via Oracle Net to compromise Core RDBMS. This can result in a partial denial of service (partial DOS) of Core RDBMS. Recommendations: For versions 12.1.0.2, 12.2.0.1, 19c, 21c, update to a version that includes the fix for this issue to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Oracle MySQL versions 8.0.26 and prior Description: The issue allows a high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks can result in the unauthorized ability to cause a hang or frequently repeatable crash of MySQL Server. Recommendations: For versions 8.0.26 and prior, update to a version later than 8.0.26 to resolve the issue.

Name of the Vulnerable Software and Affected Versions: MySQL Server versions 8.0.26 and prior Description: A vulnerability in the MySQL Server product allows a high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks can result in unauthorized ability to cause a hang or frequently repeatable crash of MySQL Server. Recommendations: For versions 8.0.26 and prior, update to a version later than 8.0.26 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Oracle MySQL versions 8.0.26 and prior Description: The issue allows a high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks can result in the unauthorized ability to cause a hang or frequently repeatable crash of MySQL Server. Recommendations: For versions 8.0.26 and prior, update to a version later than 8.0.26 to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Oracle MySQL versions 8.0.26 and prior Description: The issue allows a high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks can result in the unauthorized ability to cause a hang or frequently repeatable crash of MySQL Server. Recommendations: For versions 8.0.26 and prior, update to a version later than 8.0.26 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** MariaDB Server versions 10.6.2 and below **Description** An issue in the component Arg comparator::compare real fixed was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements. The vulnerability is related to the lack of protection measures for the SQL query structure, which can be exploited by a remote attacker to cause a denial of service using a specially crafted SQL request. **Recommendations** For MariaDB Server versions 10.6.2 and below, consider disabling the Arg comparator::compare real fixed component as a temporary workaround until a patch is available. Restrict access to specially crafted SQL statements to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Database Server version 19c **Description** The issue is related to insufficient input validation in the Core RDBMS component of Oracle Database Server. This allows a low-privileged attacker with Create Table privilege and network access via Oracle Net to compromise Core RDBMS, potentially resulting in a partial denial of service. **Recommendations** For version 19c, apply the necessary patches or updates to resolve the issue. As a temporary workaround, consider restricting network access via Oracle Net to minimize the risk of exploitation. Additionally, limit the Create Table privilege to authorized users only.

**Name of the Vulnerable Software and Affected Versions** MySQL Server versions 8.0.25 and prior **Description** The issue is related to errors in resource release in the MySQL Server: Optimizer component. It allows a remote attacker to cause a denial of service. Successful attacks can result in the ability to cause a hang or frequently repeatable crash of the MySQL Server. **Recommendations** For versions 8.0.25 and prior, update to a version that contains a fix for this issue. As a temporary workaround, consider restricting network access to the MySQL Server to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Cameralyzer versions prior to 3.2.1041 in 3.2.x Cameralyzer versions prior to 3.3.1040 in 3.3.x Cameralyzer versions prior to 3.4.4210 in 3.4.x Description: The issue is related to improper access control in Cameralyzer, allowing untrusted applications to access certain functions. Recommendations: For versions prior to 3.2.1041 in 3.2.x, update to version 3.2.1041 or later. For versions prior to 3.3.1040 in 3.3.x, update to version 3.3.1040 or later. For versions prior to 3.4.4210 in 3.4.x, update to version 3.4.4210 or later.

**Name of the Vulnerable Software and Affected Versions** MariaDB Server versions 10.6 and below **Description** An issue in the component Field::set default of MariaDB Server was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements. The vulnerability is related to the lack of protection measures for the SQL query structure, which can be exploited by a remote attacker to cause a denial of service using a specially crafted SQL request. **Recommendations** For MariaDB Server versions 10.6 and below, consider disabling the Field::set default component as a temporary workaround until a patch is available. Restrict access to the SQL query structure to minimize the risk of exploitation. Avoid using specially crafted SQL statements in the affected component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Hyperion Analytic Provider Services versions 11.1.2.4 and 12.2.1.4 Essbase Analytic Provider Services version 21.2 **Description** The issue is related to insufficient input validation in the JAPI component of the affected software, allowing an unauthenticated attacker with network access via HTTP to compromise Hyperion Analytic Provider Services. Successful attacks require human interaction from a person other than the attacker and may significantly impact additional products, potentially resulting in the takeover of Hyperion Analytic Provider Services. **Recommendations** For Hyperion Analytic Provider Services versions 11.1.2.4 and 12.2.1.4, update to a version that includes the fix for this issue. For Essbase Analytic Provider Services version 21.2, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the JAPI component until a patch is available.

**Name of the Vulnerable Software and Affected Versions** MySQL Server versions 8.0.23 and prior **Description** The issue is related to errors in resource release in the MySQL Server: Optimizer component. It allows a remote attacker to cause a denial of service. Successful attacks can result in the ability to cause a hang or frequently repeatable crash of the MySQL Server. **Recommendations** For versions 8.0.23 and prior, update to a version that contains a fix for this issue to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MySQL Server versions 5.7.33 and prior MySQL Server versions 8.0.23 and prior **Description** The issue is related to insufficient input validation in the Server: Optimizer component of Oracle MySQL Server. It allows a high-privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks can result in the unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. **Recommendations** For MySQL Server versions 5.7.33 and prior, update to a version later than 5.7.33 to resolve the issue. For MySQL Server versions 8.0.23 and prior, update to a version later than 8.0.23 to resolve the issue. As a temporary workaround, consider restricting network access to the MySQL Server to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Oracle MySQL Server versions 8.0.23 and prior **Description** The issue is related to insufficient input validation in the Server: Optimizer component of Oracle MySQL Server. It allows a high-privileged attacker with network access via multiple protocols to compromise the MySQL Server. Successful attacks can result in the unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of the MySQL Server. **Recommendations** For Oracle MySQL Server versions 8.0.23 and prior, update to a version later than 8.0.23 to resolve the issue. As a temporary workaround, consider restricting network access to the MySQL Server to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apache HTTP Server versions 2.4.39 through 2.4.46 **Description** The issue exists due to insufficient input validation in the Apache HTTP Server. Exploitation of this issue may allow a remote attacker to impact the integrity of protected information. The problem is related to unexpected matching behavior when 'MergeSlashes OFF' is set. **Recommendations** For Apache HTTP Server versions 2.4.39 through 2.4.46, update to a version that fixes the unexpected matching behavior with 'MergeSlashes OFF'. At the moment, there is no information about a newer version that contains a fix for this vulnerability.