CVE-2008-4098

Advisory lineage Upstream: 0 Downstream: 3
Modified
Published: 17 Sept 2008, 18:06
Last modified:07 Aug 2024, 10:00

Vulnerability Summary

Overall Risk (default)
low
18/100
CVSS Score
4.6 MEDIUM
v2.0 (nvd)
EPSS Score
0.35% LOW
0% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

17 Sept 2008, 18:06
Published
Vulnerability first disclosed
07 Aug 2024, 10:00
Last Modified
Vulnerability information updated

Description

MySQL before 5.0.67 allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are originally associated with pathnames without symlinks, and that can point to tables created at a future time at which a pathname is modified to contain a symlink to a subdirectory of the MySQL home data directory. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4097.

CVSS Metrics

  • v2.0MEDIUMScore: 4.6AV:N/AC:H/Au:S/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 0.35% Percentile: 57%

Techniques & Countermeasures

  • CWE-59Improper Link Resolution Before File Access ('Link Following')

    The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Affected Systems

  • canonicalubuntu_linux

    6.06 | 7.10 | 8.04 | 8.10 | 9.04 | 9.10

  • debiandebian_linux

    5.0

  • mysqlmysql

    5.0.0 | 5.0.1 | 5.0.2 | 5.0.3 | 5.0.4 | 5.0.5 | 5.0.10 | 5.0.15 | 5.0.16 | 5.0.17 | 5.0.20 | 5.0.24 | 5.0.30 | 5.0.36 | 5.0.44 | 5.0.54 | 5.0.56 | 5.0.60 | 5.0.66

  • oraclemysql

    5.0.23 | 5.0.25 | 5.0.26 | 5.0.28 | 5.0.30:sp1 | 5.0.32 | 5.0.34 | 5.0.36:sp1 | 5.0.38 | 5.0.40 | 5.0.41 | 5.0.42 | 5.0.44:sp1 | 5.0.45 | 5.0.46 | 5.0.48 | 5.0.50 | 5.0.50:sp1 | 5.0.51 | 5.0.52 | 5.0.56:sp1 | 5.0.58 | 5.0.60:sp1 | 5.0.62 | 5.0.64 | 5.0.66:sp1

References (18)