CVE-2008-2079 — Link Following in Mysql

CWE-264 CWE-59 — Link Following15 documents5 sources

Severity

4.6MEDIUMNVD

NVD4.4

EPSS

0.6%

top 31.54%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mysql Oracle Mysql Canonical Ubuntu Linux +1 more

Timeline

PublishedMay 5

Latest updateMay 2

Description

MySQL 4.1.x before 4.1.24, 5.0.x before 5.0.60, 5.1.x before 5.1.24, and 6.0.x before 6.0.5 allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are within the MySQL home data directory, which can point to tables that are created in the future.

CVSS vector

AV:N/AC:H/C:P/I:P/A:PExploitability: 3.9 | Impact: 6.4

Affected Packages2 packages

▶NVDmysql/mysql4.1.0 — 4.1.24+5

▶NVDoracle/mysql6.0.0 — 6.0.5+24

Also affects: Debian Linux 4.0, Ubuntu Linux 6.06, 7.10, 8.04

Patches

Patch: bugs.mysql.com ↗Patch: www.securityfocus.com ↗Patch: www.securityfocus.com ↗

🔴Vulnerability Details

GHSA

GHSA-q8q6-rcmj-g45q: MySQL 5↗2022-05-02

▶

GHSA

GHSA-rxrr-c7mj-hq68: MySQL 5↗2022-05-02

▶

GHSA

GHSA-789p-mwwq-w5cp: MySQL 4↗2022-05-01

▶

📋Vendor Advisories

Red Hat

mysql: Incomplete fix for CVE-2008-2079 / CVE-2008-4098↗2009-11-04

▶

Ubuntu

MySQL vulnerabilities↗2008-11-17

▶

Red Hat

mysql: incomplete upstream fix for CVE-2008-2079↗2008-07-03

▶

Red Hat

mysql: privilege escalation via DATA/INDEX DIRECTORY directives↗2008-03-13

▶

Red Hat

CVE-2008-4097: MySQL 5↗

▶

💬Community

Bugzilla

CVE-2010-1626 mysql: table destruction via DATA/INDEX DIRECTORY directives using symlinks↗2010-01-08

▶

Bugzilla

CVE-2009-4030 mysql: Incomplete fix for CVE-2008-2079 / CVE-2008-4098↗2009-12-02

▶

Bugzilla

CVE-2008-4098 mysql: incomplete upstream fix for CVE-2008-2079↗2008-07-04

▶

Bugzilla

CVE-2008-2079 mysql: privilege escalation via DATA/INDEX DIRECTORY directives↗2008-05-05

▶