CVE-2008-4097 — Link Following in Mysql

CWE-264 CWE-59 — Link Following7 documents4 sources

Severity

4.6MEDIUMNVD

EPSS

0.7%

top 27.51%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Canonical Ubuntu Linux Debian Linux Mysql +1 more

Timeline

PublishedSep 18

Latest updateMay 2

Description

MySQL 5.0.51a allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are associated with symlinks within pathnames for subdirectories of the MySQL home data directory, which are followed when tables are created in the future. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-2079.

CVSS vector

AV:N/AC:H/C:P/I:P/A:PExploitability: 3.9 | Impact: 6.4

Affected Packages2 packages

▶NVDmysql/mysql19 versions+18

▶NVDoracle/mysql26 versions+25

Also affects: Debian Linux 5.0, Ubuntu Linux 6.06, 7.10, 8.04, 8.10, 9.04, 9.10

🔴Vulnerability Details

GHSA

GHSA-cwr2-c5mc-rxv6: MySQL before 5↗2022-05-02

▶

GHSA

GHSA-rxrr-c7mj-hq68: MySQL 5↗2022-05-02

▶

📋Vendor Advisories

Ubuntu

MySQL vulnerabilities↗2008-11-17

▶

Red Hat

mysql: incomplete upstream fix for CVE-2008-2079↗2008-07-03

▶

Red Hat

CVE-2008-4097: MySQL 5↗

▶