cbcvebase.
CVE-2012-5613
published 2012-12-03

CVE-2012-5613: MySQL 5.5.19 and possibly other versions, and MariaDB 5.5.28a and possibly other versions, when configured to assign the FILE privilege to users who should not…

PriorityP343medium6CVSS 2.0
AVNACMAuSCPIPAP
EXPLOIT
EPSS
31.66%
98.1th percentile
MySQL 5.5.19 and possibly other versions, and MariaDB 5.5.28a and possibly other versions, when configured to assign the FILE privilege to users who should not have administrative privileges, allows remote authenticated users to gain privileges by leveraging the FILE privilege to create files as the MySQL administrator. NOTE: the vendor disputes this issue, stating that this is only a vulnerability when the administrator does not follow recommendations in the product's installation documentation. NOTE: it could be argued that this should not be included in CVE because it is a configuration issue.

Affected

2 ranges
VendorProductVersion rangeFixed in
mariadbmariadb
oraclemysql

Detection & IOCsextracted from sources · hover to see the quote

  • Detect FILE privilege abuse via MySQL query logs: look for 'SELECT ... INTO DUMPFILE' writing to Windows system32 or wbem/mof directories, or Linux /var/lib/mysql paths with .TRG/.TRN extensions.
  • Monitor for creation of .mof files in C:\Windows\System32\wbem\mof\ by the MySQL service account (SYSTEM or mysql user), which indicates MOF execution exploitation.
  • Monitor for .exe files written to the All Users Startup folder (e.g., C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\) by the MySQL process, indicating FILE privilege startup persistence abuse.
  • Detect MySQL trigger file injection on Linux: alert on creation of .TRG or .TRN files under /var/lib/mysql/ by the mysql user outside of normal mysqld operation.
  • Detect reconnaissance queries in MySQL general query log: 'SELECT @@version_compile_os' and 'SELECT @@tmpdir' issued in rapid succession may indicate automated exploitation attempts.
  • Detect large hex-encoded payloads written via 'SELECT 0x<hex> INTO DUMPFILE' in MySQL query logs, which is the mechanism used to upload binary executables through the FILE privilege.
  • On Linux, detect the stack-overrun crash pattern used to force mysqld respawn: a deliberate oversized GRANT statement (e.g., 'grant all on AAAA...*.* to ...') followed by reconnection is a key exploit step.
  • ·This vulnerability only applies when the MySQL FILE privilege has been granted to users who should not have administrative privileges. Properly restricting FILE privilege per installation documentation mitigates the risk.
  • ·The MOF execution vector (EDB-23179) is Windows-specific; the exploit checks for Windows via @@version_compile_os before proceeding.
  • ·The Linux trigger-file escalation vector (EDB-23077) requires the attacker to also trigger a MySQL server crash/respawn to force recognition of the injected .TRG file; a non-respawning configuration would break the exploit chain.
  • ·Red Hat determined this was not a security vulnerability for RHEL 5 and RHEL 6 mysql packages.

CVSS provenance

nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
vendor_redhat6.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.