CVE-2010-1850
published 2010-06-08CVE-2010-1850: Buffer overflow in MySQL 5.0 through 5.0.91 and 5.1 before 5.1.47 allows remote authenticated users to execute arbitrary code via a COM_FIELD_LIST command with…
PriorityP343medium6CVSS 2.0
AVNACMAuSCPIPAP
EPSS
21.79%
97.3th percentile
Buffer overflow in MySQL 5.0 through 5.0.91 and 5.1 before 5.1.47 allows remote authenticated users to execute arbitrary code via a COM_FIELD_LIST command with a long table name.
Affected
85 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| mysql | mysql | — | — |
| oracle | mysql | — | — |
| oracle | mysql | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor MySQL traffic for COM_FIELD_LIST command packets containing abnormally long table name fields, which may indicate a buffer overflow exploitation attempt. ↗
- →Alert on authenticated MySQL sessions issuing COM_FIELD_LIST with table name arguments that exceed normal length bounds, as this is the specific attack vector for CVE-2010-1850. ↗
- →Affected versions are MySQL 5.0 through 5.0.91 and 5.1 before 5.1.47; flag any such version exposed to authenticated remote users as high-priority for patching. ↗
- ·Default compiler options (e.g. stack protection) on some distributions reduce the vulnerability from remote code execution to denial of service only. ↗
- ·Red Hat Enterprise Linux 3 and 4 shipped versions of MySQL that were not affected by this CVE. ↗
- ·MySQL as shipped with Red Hat Enterprise Linux 6 is also listed as not affected. ↗
CVSS provenance
nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
vendor_redhat6.0MEDIUM
vendor_ubuntu5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2gf7-pwpq-8w42: Buffer overflow in MySQL 5
ghsa_unreviewed·2022-05-13
CVE-2010-1850 [MEDIUM] CWE-119 GHSA-2gf7-pwpq-8w42: Buffer overflow in MySQL 5
Buffer overflow in MySQL 5.0 through 5.0.91 and 5.1 before 5.1.47 allows remote authenticated users to execute arbitrary code via a COM_FIELD_LIST command with a long table name.
Ubuntu
MySQL vulnerabilities
vendor_ubuntu·2012-03-12
CVE-2007-5925 MySQL vulnerabilities
Title: MySQL vulnerabilities
Summary: Several security issues were fixed in MySQL.
Multiple security issues were discovered in MySQL and this update includes
new upstream MySQL versions to fix these issues.
MySQL has been updated to 5.1.61 in Ubuntu 10.04 LTS, Ubuntu 10.10,
Ubuntu 11.04 and Ubuntu 11.10. Ubuntu 8.04 LTS has been updated to
MySQL 5.0.95.
In addition to security fixes, the updated packages contain bug fixes, new
features, and possibly incompatible changes.
Please see the following for more information:
http://dev.mysql.com/doc/refman/5.1/en/news-5-1-x.html
http://dev.mysql.com/doc/refman/5.0/en/news-5-0-x.html
http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
MySQL vulnerabilities
vendor_ubuntu·2010-06-09·CVSS 5.0
CVE-2010-1621 [MEDIUM] MySQL vulnerabilities
Title: MySQL vulnerabilities
It was discovered that MySQL did not check privileges before uninstalling
plugins. An authenticated user could uninstall arbitrary plugins, bypassing
intended restrictions. This issue only affected Ubuntu 9.10 and 10.04 LTS.
(CVE-2010-1621)
It was discovered that MySQL could be made to delete another user's data
and index files. An authenticated user could use symlinks combined with the
DROP TABLE command to possibly bypass privilege checks. (CVE-2010-1626)
It was discovered that MySQL incorrectly validated the table name argument
of the COM_FIELD_LIST command. An authenticated user could use a specially-
crafted table name to bypass privilege checks and possibly access other
tables. (CVE-2010-1848)
Eric Day discovered that MySQL incorrectly handled certain
Red Hat
mysql: COM_FIELD_LIST table name buffer overflow
vendor_redhat·2010-05-13·CVSS 6.0
CVE-2010-1850 [MEDIUM] mysql: COM_FIELD_LIST table name buffer overflow
mysql: COM_FIELD_LIST table name buffer overflow
Buffer overflow in MySQL 5.0 through 5.0.91 and 5.1 before 5.1.47 allows remote authenticated users to execute arbitrary code via a COM_FIELD_LIST command with a long table name.
Statement: These issues did not affect the versions of mysql as shipped with Red Hat Enterprise Linux 3, or 4.
Package: mysql (Red Hat Enterprise Linux 6) - Not affected
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2010-1850 mysql: COM_FIELD_LIST table name buffer overflow
bugzilla·2010-05-13·CVSS 6.0
CVE-2010-1850 [MEDIUM] CVE-2010-1850 mysql: COM_FIELD_LIST table name buffer overflow
CVE-2010-1850 mysql: COM_FIELD_LIST table name buffer overflow
The upcoming MySQL 5.1.47 [1] and 5.0.91 [2] releases indicate a fix for the following issue, which has been assigned CVE-2010-1850. Currently the bug report [3] is not public.
The server was susceptible to a buffer-overflow attack due to a failure to perform bounds checking on the table name argument of a COM_FIELD_LIST command packet. By sending long data for the table name, a buffer is overflown, which could be exploited by an authenticated user to inject malicious code. (Bug#53237, CVE-2010-1850)
Without access to the upstream bug, it is difficult to determine if this would also affect older 4.x releases.
[1] http://dev.mysql.com/doc/refman/5.1/en/news-5-1-47.html
[2] http://dev.mysql.com/doc/refman/5.0/en/news-5-0-91.h
Bugzilla
CVE-2010-1848 mysql: multiple insufficient table name checks
bugzilla·2010-05-13·CVSS 6.5
CVE-2010-1848 [MEDIUM] CVE-2010-1848 mysql: multiple insufficient table name checks
CVE-2010-1848 mysql: multiple insufficient table name checks
The upcoming MySQL 5.1.47 release indicates [1] a fix for the following issue, which has been assigned CVE-2010-1848. Currently the bug report [2] is not public.
The server failed to check the table name argument of a COM_FIELD_LIST command packet for validity and compliance to acceptable table name standards. This could be exploited to bypass almost all forms of checks for privileges and table-level grants by providing a specially crafted table name argument to COM_FIELD_LIST.
In MySQL 5.0 and above, this allowed an authenticated user with SELECT privileges on one table to obtain the field definitions of any table in all other databases and potentially of other MySQL instances accessible from the server's file system.
Additi
http://bugs.mysql.com/bug.php?id=53237http://dev.mysql.com/doc/refman/5.0/en/news-5-0-91.htmlhttp://dev.mysql.com/doc/refman/5.1/en/news-5-1-47.htmlhttp://lists.apple.com/archives/security-announce/2010//Nov/msg00000.htmlhttp://lists.opensuse.org/opensuse-security-announce/2010-10/msg00006.htmlhttp://securitytracker.com/id?1024033http://support.apple.com/kb/HT4435http://www.mandriva.com/security/advisories?name=MDVSA-2010:107http://www.redhat.com/support/errata/RHSA-2010-0442.htmlhttp://www.ubuntu.com/usn/USN-1397-1https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10846https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6693http://bugs.mysql.com/bug.php?id=53237http://dev.mysql.com/doc/refman/5.0/en/news-5-0-91.htmlhttp://dev.mysql.com/doc/refman/5.1/en/news-5-1-47.htmlhttp://lists.apple.com/archives/security-announce/2010//Nov/msg00000.htmlhttp://lists.opensuse.org/opensuse-security-announce/2010-10/msg00006.htmlhttp://securitytracker.com/id?1024033http://support.apple.com/kb/HT4435http://www.mandriva.com/security/advisories?name=MDVSA-2010:107http://www.redhat.com/support/errata/RHSA-2010-0442.htmlhttp://www.ubuntu.com/usn/USN-1397-1https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10846https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6693
2010-06-08
Published