Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).
CVE-2009-2446 — Use of Externally-Controlled Format String in Mysql
Severity
8.5HIGHNVD
EPSS
7.3%
top 8.33%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
Timeline
PublishedJul 13
Latest updateFeb 5
Description
Multiple format string vulnerabilities in the dispatch_command function in libmysqld/sql_parse.cc in mysqld in MySQL 4.0.0 through 5.0.83 allow remote authenticated users to cause a denial of service (daemon crash) and possibly have unspecified other impact via format string specifiers in a database name in a (1) COM_CREATE_DB or (2) COM_DROP_DB request. NOTE: some of these details are obtained from third party information.
CVSS vector
AV:N/AC:M/C:C/I:C/A:CExploitability: 6.8 | Impact: 10.0
Affected Packages2 packages
Patches
🔴Vulnerability Details
1GHSA▶
GHSA-q8wr-mc75-9wjp: Multiple format string vulnerabilities in the dispatch_command function in libmysqld/sql_parse↗2022-05-02
💥Exploits & PoCs
1📋Vendor Advisories
3📄Research Papers
3💬Community
1Bugzilla▶
CVE-2009-2446 MySQL: Format string vulnerability by manipulation with database instances (crash)↗2009-07-13