Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2006-3469 — Use of Externally-Controlled Format String in Mysql

CWE-134 — Use of Externally-Controlled Format String7 documents6 sources

Severity

4.0MEDIUMNVD

EPSS

54.1%

top 1.98%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Mysql Oracle Mysql

Timeline

PublishedJul 21

Latest updateMay 1

Description

Format string vulnerability in time.cc in MySQL Server 4.1 before 4.1.21 and 5.0 before 1 April 2006 allows remote authenticated users to cause a denial of service (crash) via a format string instead of a date as the first parameter to the date_format function, which is later used in a formatted print call to display the error message.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 8.0 | Impact: 2.9

Affected Packages2 packages

▶NVDmysql/mysql10 versions+9

▶NVDoracle/mysql15 versions+14

Patches

Patch: www.debian.org ↗Patch: www.debian.org ↗

🔴Vulnerability Details

GHSA

GHSA-vx28-8m2j-873p: Format string vulnerability in time↗2022-05-01

▶

💥Exploits & PoCs

Exploit-DB

MySQL 4.x/5.x - Server Date_Format Denial of Service↗2006-07-18

▶

📋Vendor Advisories

Ubuntu

mysql-dfsg-4.1 vulnerability↗2006-07-21

▶

Red Hat

mysql server DoS↗2006-06-27

▶

💬Community

Bugzilla

CVE-2006-3469 mysql server DoS↗2006-08-09

▶

Bugzilla

CVE-2006-3469 mysql server DoS↗2006-08-09

▶