Skip to content

DRAFT: FDW security advisories (mysql_fdw / mongo_fdw / hdfs_fdw)#7189

Draft
vtran-edb wants to merge 1 commit into
developfrom
security/fdw-advisories-draft
Draft

DRAFT: FDW security advisories (mysql_fdw / mongo_fdw / hdfs_fdw)#7189
vtran-edb wants to merge 1 commit into
developfrom
security/fdw-advisories-draft

Conversation

@vtran-edb

Copy link
Copy Markdown
Contributor

Summary

Draft security advisories for the three foreign data wrappers, covering the vulnerabilities fixed under FDW-753 / FDW-754 / FDW-755 / FDW-759. Adds seven advisory .mdx files (formatted to cve.mdx.template) plus the regenerated advisories/index.mdx.

This is a DRAFT for dev-team review before publication — not for merge as-is.

Advisories

File Component CWE CVSS
cve-A-mysql_fdw-multibyte-charset-sqli mysql_fdw CWE-89 8.1 High
cve-B-mysql_fdw-privileged-connection-options mysql_fdw CWE-269 / CWE-73 8.0 High
cve-C-mysql_fdw-sqli-analyze-import-sqlmode mysql_fdw CWE-89 7.2 High
cve-D-mysql_fdw-import-hostile-server-injection mysql_fdw CWE-89 7.4 High
cve-E-mongo_fdw-uri-injection mongo_fdw CWE-74 / CWE-88 5.4 Medium
cve-F-hdfs_fdw-hiveql-injection hdfs_fdw CWE-89 7.7 High
cve-G-mongo_fdw-objectid-oob-read mongo_fdw CWE-125 4.2 Medium

Placeholders to resolve before publishing

  • CVE IDs — every file uses CVE-YYYY-NNNN (in title, navTitle, the NVD link, and the filename → rename to cve<year><number>.mdx).
  • First Published date — currently TBD (drafts group under a "Released TBD" section in the index).
  • First-fix release version — Remediation tables say "Pending release"; affected versions captured (mysql_fdw ≤ REL-2_9_3, mongo_fdw ≤ v3.0 / REL-5_5_3, hdfs_fdw ≤ v2.3.3). Confirm the earliest affected release.
  • Re-run tools/automation/generators/advisoryindex after real IDs/dates are set so the index regenerates cleanly.

Reviewer notes

  • CVE-E (mongo_fdw URI injection) is rated 5.4 Medium, not the originally-proposed 8.5 High. The TLS-downgrade path requires server-owner privilege (authentication_database/replica_set are server options), not a plain user mapping; the low-privilege vector is connection redirection. See the advisory's Note block.
  • ⚠️ CVE-G (mongo_fdw ObjectId OOB read) — DO NOT PUBLISH yet. The vulnerability is confirmed in source, but its fix (commit 5d48478) is not attached to FDW-753 and has not been independently reviewed. Please review that commit and give it a review record before this advisory ships. PSIRT to confirm whether a CVE is warranted.

index.mdx was regenerated with the official generator (not hand-edited); the security/assessments indexes were unchanged.

🤖 Generated with Claude Code

Add seven draft CVE advisories for the MySQL, MongoDB, and HDFS foreign
data wrappers, formatted to the security advisory template, plus the
regenerated advisories index.

DRAFT for dev-team review before publication. Placeholders remain:
- CVE IDs (CVE-YYYY-NNNN) pending assignment
- First Published dates and first-fix release versions
- CVE-G (mongo_fdw ObjectId OOB read) has an unresolved traceability gap
  and MUST NOT be published until commit 5d48478 is reviewed.

index.mdx regenerated via tools/automation/generators/advisoryindex.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@mpfuster mpfuster added the oncall label Jul 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants