| Vulnerability Name: | CVE-2008-4097 (CCN-45648) | ||||||||||||||||||||
| Assigned: | 2008-09-09 | ||||||||||||||||||||
| Published: | 2008-09-09 | ||||||||||||||||||||
| Updated: | 2020-02-18 | ||||||||||||||||||||
| Summary: | MySQL 5.0.51a allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are associated with symlinks within pathnames for subdirectories of the MySQL home data directory, which are followed when tables are created in the future. Note: this vulnerability exists because of an incomplete fix for CVE-2008-2079. Per http://www.securityfocus.com/bid/29106 this vulnerability is remotely exploitable. | ||||||||||||||||||||
| CVSS v3 Severity: | 5.9 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
| ||||||||||||||||||||
| CVSS v2 Severity: | 4.6 Medium (CVSS v2 Vector: AV:N/AC:H/Au:S/C:P/I:P/A:P) 3.4 Low (Temporal CVSS v2 Vector: AV:N/AC:H/Au:S/C:P/I:P/A:P/E:U/RL:OF/RC:C)
3.2 Low (CCN Temporal CVSS v2 Vector: AV:L/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
| ||||||||||||||||||||
| Vulnerability Type: | CWE-264 | ||||||||||||||||||||
| Vulnerability Consequences: | Bypass Security | ||||||||||||||||||||
| References: | Source: CCN Type: Debian Bug report logs - #480292 Re: CVE-2008-2079: mysql allows local users to bypass certain privilege checks Source: CONFIRM Type: Third Party Advisory http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480292#25 Source: MITRE Type: CNA CVE-2008-4097 Source: CCN Type: MySQL Web site MySQL Downloads Source: SUSE Type: Third Party Advisory SUSE-SR:2008:025 Source: SECUNIA Type: Vendor Advisory 32759 Source: SECUNIA Type: Broken Link, Not Applicable 32769 Source: DEBIAN Type: DSA-1662 mysql-dfsg-5.0 -- authorization bypass Source: MANDRIVA Type: Broken Link MDVSA-2009:094 Source: CCN Type: oss-security Mailing List, Tue, 9 Sep 2008 22:23:45 +0200 Re: CVE request: MySQL incomplete fix for CVE-2008-2079 Source: MLIST Type: Mailing List [oss-security] 20080909 Re: CVE request: MySQL incomplete fix for CVE-2008-2079 Source: CCN Type: oss-security Mailing List, Mon, 15 Sep 2008 20:53:40 -0400 (EDT) Re: CVE request: MySQL incomplete fix for CVE-2008-2079 Source: MLIST Type: Mailing List [oss-security] 20080916 Re: CVE request: MySQL incomplete fix for CVE-2008-2079 Source: CCN Type: OSVDB ID: 44937 MySQL MyISAM Table CREATE TABLE Privilege Check Bypass Source: CCN Type: USN-671-1 MySQL vulnerabilities Source: UBUNTU Type: Third Party Advisory USN-671-1 Source: XF Type: UNKNOWN mysql-myisam-symlinks-security-bypass(45648) Source: XF Type: VDB Entry mysql-myisam-symlinks-security-bypass(45648) Source: SUSE Type: SUSE-SR:2008:025 SUSE Security Summary Report Source: SUSE Type: SUSE-SR:2009:001 SUSE Security Summary Report | ||||||||||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||||||||||
| Oval Definitions | |||||||||||||||||||||
| |||||||||||||||||||||
| BACK | |||||||||||||||||||||