Vulnerability CVE-2012-5613


Published: 2012-12-03

Description:
** DISPUTED ** MySQL 5.5.19 and possibly other versions, and MariaDB 5.5.28a and possibly other versions, when configured to assign the FILE privilege to users who should not have administrative privileges, allows remote authenticated users to gain privileges by leveraging the FILE privilege to create files as the MySQL administrator. NOTE: the vendor disputes this issue, stating that this is only a vulnerability when the administrator does not follow recommendations in the product's installation documentation. NOTE: it could be argued that this should not be included in CVE because it is a configuration issue.

See advisories in our WLB2 database:
Topic
Author
Date
High
MySQL (Linux) Database Privilege Elevation Zeroday Exploit
Kingcope
02.12.2012

Type:

CWE-16

(Configuration)

CVSS2 => (AV:N/AC:M/Au:S/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6/10
6.4/10
6.8/10
Exploit range
Attack complexity
Authentication
Remote
Medium
Single time
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Oracle -> Mysql 
Mariadb -> Mariadb 

 References:
http://www.openwall.com/lists/oss-security/2012/12/02/4
http://www.openwall.com/lists/oss-security/2012/12/02/3
http://security.gentoo.org/glsa/glsa-201308-06.xml
http://secunia.com/advisories/53372
http://seclists.org/fulldisclosure/2012/Dec/6
http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00000.html

Copyright 2024, cxsecurity.com

 

Back to Top