MDVSA-2009:326Executive Summary
| Informations | |||
|---|---|---|---|
| Name | MDVSA-2009:326 | First vendor Publication | 2009-12-07 |
| Vendor | Mandriva | Last vendor Modification | 2009-12-07 |
| Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:M/Au:S/C:C/I:C/A:C) | |||
|---|---|---|---|
| Cvss Base Score | 8.5 | Attack Range | Network |
| Cvss Impact Score | 10 | Attack Complexity | Medium |
| Cvss Expoit Score | 6.8 | Authentification | Requires single instance |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
Multiple vulnerabilities has been found and corrected in mysql: MySQL 5.0 before 5.0.66, 5.1 before 5.1.26, and 6.0 before 6.0.6 does not properly handle a b'' (b single-quote single-quote) token, aka an empty bit-string literal, which allows remote attackers to cause a denial of service (daemon crash) by using this token in a SQL statement (CVE-2008-3963). MySQL before 5.0.67 allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are originally associated with pathnames without symlinks, and that can point to tables created at a future time at which a pathname is modified to contain a symlink to a subdirectory of the MySQL home data directory. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4097 (CVE-2008-4098). Cross-site scripting (XSS) vulnerability in the command-line client in MySQL 5.0.26 through 5.0.45, when the --html option is enabled, allows attackers to inject arbitrary web script or HTML by placing it in a database cell, which might be accessed by this client when composing an HTML document (CVE-2008-4456). Multiple format string vulnerabilities in the dispatch_command function in libmysqld/sql_parse.cc in mysqld in MySQL 4.0.0 through 5.0.83 allow remote authenticated users to cause a denial of service (daemon crash) and possibly have unspecified other impact via format string specifiers in a database name in a (1) COM_CREATE_DB or (2) COM_DROP_DB request. NOTE: some of these details are obtained from third party information (CVE-2009-2446). Packages for 2008.0 are being provided due to extended support for Corporate products. This update provides fixes for this vulnerability. |
Original Source
| Url : http://www.mandriva.com/security/advisories?name=MDVSA-2009:326 |
CWE : Common Weakness Enumeration
| id | Name |
|---|---|
| CWE-134 | Uncontrolled Format String |
| CWE-264 | Permissions, Privileges, and Access Controls |
| CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') |
| CWE-59 | Improper Link Resolution Before File Access ('Link Following') |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:10521 | |||
| Oval ID: | oval:org.mitre.oval:def:10521 | ||
| Title: | MySQL 5.0 before 5.0.66, 5.1 before 5.1.26, and 6.0 before 6.0.6 does not properly handle a b'' (b single-quote single-quote) token, aka an empty bit-string literal, which allows remote attackers to cause a denial of service (daemon crash) by using this token in a SQL statement. | ||
| Description: | MySQL 5.0 before 5.0.66, 5.1 before 5.1.26, and 6.0 before 6.0.6 does not properly handle a b'' (b single-quote single-quote) token, aka an empty bit-string literal, which allows remote attackers to cause a denial of service (daemon crash) by using this token in a SQL statement. | ||
| Family: | unix | Class: | vulnerability |
| Reference(s): | CVE-2008-3963 |
Version: | 5 |
| Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 |
Product(s): | |
| Definition Synopsis: | |||
|
|||
| Definition Id: oval:org.mitre.oval:def:10591 | |||
| Oval ID: | oval:org.mitre.oval:def:10591 | ||
| Title: | MySQL before 5.0.67 allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are originally associated with pathnames without symlinks, and that can point to tables created at a future time at which a pathname is modified to contain a symlink to a subdirectory of the MySQL home data directory. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4097. | ||
| Description: | MySQL before 5.0.67 allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are originally associated with pathnames without symlinks, and that can point to tables created at a future time at which a pathname is modified to contain a symlink to a subdirectory of the MySQL home data directory. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4097. | ||
| Family: | unix | Class: | vulnerability |
| Reference(s): | CVE-2008-4098 |
Version: | 5 |
| Platform(s): | Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 |
Product(s): | |
| Definition Synopsis: | |||
|
|||
| Definition Id: oval:org.mitre.oval:def:11456 | |||
| Oval ID: | oval:org.mitre.oval:def:11456 | ||
| Title: | Cross-site scripting (XSS) vulnerability in the command-line client in MySQL 5.0.26 through 5.0.45, and other versions including versions later than 5.0.45, when the --html option is enabled, allows attackers to inject arbitrary web script or HTML by placing it in a database cell, which might be accessed by this client when composing an HTML document. NOTE: as of 20081031, the issue has not been fixed in MySQL 5.0.67. | ||
| Description: | Cross-site scripting (XSS) vulnerability in the command-line client in MySQL 5.0.26 through 5.0.45, and other versions including versions later than 5.0.45, when the --html option is enabled, allows attackers to inject arbitrary web script or HTML by placing it in a database cell, which might be accessed by this client when composing an HTML document. NOTE: as of 20081031, the issue has not been fixed in MySQL 5.0.67. | ||
| Family: | unix | Class: | vulnerability |
| Reference(s): | CVE-2008-4456 |
Version: | 5 |
| Platform(s): | Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 |
Product(s): | |
| Definition Synopsis: | |||
|
|||
| Definition Id: oval:org.mitre.oval:def:11857 | |||
| Oval ID: | oval:org.mitre.oval:def:11857 | ||
| Title: | Multiple format string vulnerabilities in the dispatch_command function in libmysqld/sql_parse.cc in mysqld in MySQL 4.0.0 through 5.0.83 allow remote authenticated users to cause a denial of service (daemon crash) and possibly have unspecified other impact via format string specifiers in a database name in a (1) COM_CREATE_DB or (2) COM_DROP_DB request. NOTE: some of these details are obtained from third party information. | ||
| Description: | Multiple format string vulnerabilities in the dispatch_command function in libmysqld/sql_parse.cc in mysqld in MySQL 4.0.0 through 5.0.83 allow remote authenticated users to cause a denial of service (daemon crash) and possibly have unspecified other impact via format string specifiers in a database name in a (1) COM_CREATE_DB or (2) COM_DROP_DB request. NOTE: some of these details are obtained from third party information. | ||
| Family: | unix | Class: | vulnerability |
| Reference(s): | CVE-2009-2446 |
Version: | 5 |
| Platform(s): | Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 |
Product(s): | |
| Definition Synopsis: | |||
|
|||
CPE : Common Platform Enumeration
Open Source Vulnerability Database (OSVDB)
| id | Description |
|---|---|
| 55734 | MySQL sql_parse.cc dispatch_command() Function Format String DoS |
| 48710 | MySQL Command Line Client HTML Output XSS |
| 48021 | MySQL Empty Bit-String Literal Token SQL Statement DoS |
| 44937 | MySQL MyISAM Table CREATE TABLE Privilege Check Bypass |
(High)
(Medium)
(Low)
