Executive Summary
| Informations | |||
|---|---|---|---|
| Name | CVE-2008-4097 | First vendor Publication | 2008-09-18 |
| Vendor | Cve | Last vendor Modification | 2024-11-21 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:H/Au:S/C:P/I:P/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 4.6 | Attack Range | Network |
| Cvss Impact Score | 6.4 | Attack Complexity | High |
| Cvss Expoit Score | 3.9 | Authentication | Requires single instance |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| MySQL 5.0.51a allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are associated with symlinks within pathnames for subdirectories of the MySQL home data directory, which are followed when tables are created in the future. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-2079. |
Original Source
| Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4097 |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-264 | Permissions, Privileges, and Access Controls |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:18440 | |||
| Oval ID: | oval:org.mitre.oval:def:18440 | ||
| Title: | DSA-1662-1 mysql-dfsg-5.0 - authorisation bypass | ||
| Description: | A symlink traversal vulnerability was discovered in MySQL, a relational database server. The weakness could permit an attacker having both CREATE TABLE access to a database and the ability to execute shell commands on the database server to bypass MySQL access controls, enabling them to write to tables in databases to which they would not ordinarily have access. | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-1662-1 CVE-2008-4098 CVE-2008-4097 | Version: | 7 |
| Platform(s): | Debian GNU/Linux 4.0 | Product(s): | mysql-dfsg-5.0 |
| Definition Synopsis: | |||
| Definition Id: oval:org.mitre.oval:def:7628 | |||
| Oval ID: | oval:org.mitre.oval:def:7628 | ||
| Title: | DSA-1662 mysql-dfsg-5.0 -- authorisation bypass | ||
| Description: | A symlink traversal vulnerability was discovered in MySQL, a relational database server. The weakness could permit an attacker having both CREATE TABLE access to a database and the ability to execute shell commands on the database server to bypass MySQL access controls, enabling them to write to tables in databases to which they would not ordinarily have access. The Common Vulnerabilities and Exposures project identifies this vulnerability as CVE-2008-4098. Note that a closely aligned issue, identified as CVE-2008-4097, was prevented by the update announced in DSA-1608-1. This new update supersedes that fix and mitigates both potential attack vectors. | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-1662 CVE-2008-4098 CVE-2008-4097 | Version: | 3 |
| Platform(s): | Debian GNU/Linux 4.0 | Product(s): | mysql-dfsg-5.0 |
| Definition Synopsis: | |||
| |||
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Application | 1 |
OpenVAS Exploits
| Date | Description |
|---|---|
| 2012-02-12 | Name : Gentoo Security Advisory GLSA 201201-02 (MySQL) File : nvt/glsa_201201_02.nasl |
| 2009-12-10 | Name : Mandriva Security Advisory MDVSA-2009:326 (mysql) File : nvt/mdksa_2009_326.nasl |
| 2009-10-13 | Name : SLES10: Security update for MySQL File : nvt/sles10_mysql0.nasl |
| 2009-10-10 | Name : SLES9: Security update for MySQL File : nvt/sles9p5040120.nasl |
| 2009-06-05 | Name : Ubuntu USN-763-1 (xine-lib) File : nvt/ubuntu_763_1.nasl |
| 2009-04-28 | Name : Mandrake Security Advisory MDVSA-2009:094 (mysql) File : nvt/mdksa_2009_094.nasl |
| 2009-04-23 | Name : MySQL MyISAM Table Privileges Secuity Bypass Vulnerability File : nvt/mysql_29106.nasl |
| 2009-03-23 | Name : Ubuntu Update for mysql-dfsg-5.0 vulnerabilities USN-671-1 File : nvt/gb_ubuntu_USN_671_1.nasl |
| 2009-01-20 | Name : SuSE Security Summary SUSE-SR:2009:001 (OpenSuSE 11.1) File : nvt/suse_sr_2009_001.nasl |
| 2009-01-20 | Name : SuSE Security Summary SUSE-SR:2009:001 (OpenSuSE 11.0) File : nvt/suse_sr_2009_001a.nasl |
| 2009-01-20 | Name : SuSE Security Summary SUSE-SR:2009:001 (OpenSuSE 10.3) File : nvt/suse_sr_2009_001b.nasl |
| 2009-01-02 | Name : FreeBSD Ports: mysql-server File : nvt/freebsd_mysql-server15.nasl |
| 2008-11-19 | Name : Debian Security Advisory DSA 1662-1 (mysql-dfsg-5.0) File : nvt/deb_1662_1.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 44937 | MySQL MyISAM Table CREATE TABLE Privilege Check Bypass |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2015-01-19 | Name : The remote Solaris system is missing a security patch for third-party software. File : solaris11_mysql_20130924.nasl - Type : ACT_GATHER_INFO |
| 2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2010-0110.nasl - Type : ACT_GATHER_INFO |
| 2013-01-24 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-1289.nasl - Type : ACT_GATHER_INFO |
| 2012-01-16 | Name : The remote database server allows a local user to circumvent privileges. File : mysql_6_0_14_priv_bypass.nasl - Type : ACT_GATHER_INFO |
| 2012-01-06 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201201-02.nasl - Type : ACT_GATHER_INFO |
| 2010-02-18 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2010-0110.nasl - Type : ACT_GATHER_INFO |
| 2010-02-17 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2010-0110.nasl - Type : ACT_GATHER_INFO |
| 2010-01-06 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2009-1289.nasl - Type : ACT_GATHER_INFO |
| 2009-12-08 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2009-326.nasl - Type : ACT_GATHER_INFO |
| 2009-09-24 | Name : The remote SuSE 9 host is missing a security-related patch. File : suse9_12256.nasl - Type : ACT_GATHER_INFO |
| 2009-07-21 | Name : The remote openSUSE host is missing a security update. File : suse_11_0_libmysqlclient-devel-080919.nasl - Type : ACT_GATHER_INFO |
| 2009-04-23 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2009-094.nasl - Type : ACT_GATHER_INFO |
| 2009-04-23 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-671-1.nasl - Type : ACT_GATHER_INFO |
| 2008-12-30 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_738f8f9ed66111dda7650030843d3802.nasl - Type : ACT_GATHER_INFO |
| 2008-12-21 | Name : The remote openSUSE host is missing a security update. File : suse_libmysqlclient-devel-5619.nasl - Type : ACT_GATHER_INFO |
| 2008-12-01 | Name : The remote openSUSE host is missing a security update. File : suse_mysql-5613.nasl - Type : ACT_GATHER_INFO |
| 2008-11-13 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_mysql-5618.nasl - Type : ACT_GATHER_INFO |
| 2008-11-06 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1662.nasl - Type : ACT_GATHER_INFO |
Sources (Detail)
Alert History
| Date | Informations |
|---|---|
| 2024-11-28 23:13:30 |
|
| 2024-11-28 12:16:30 |
|
| 2021-05-04 12:08:42 |
|
| 2021-04-22 01:09:02 |
|
| 2020-05-23 00:22:15 |
|
| 2018-06-20 12:01:42 |
|
| 2017-08-08 09:24:23 |
|
| 2016-04-26 17:49:42 |
|
| 2015-01-21 13:24:39 |
|
| 2014-02-17 10:46:35 |
|
| 2013-05-11 00:26:17 |
|
