MySQL debian.cnf Plaintext Credential Disclosure

This script is Copyright (C) 2014 Tenable Network Security, Inc.

Synopsis :

The remote database server may be affected by an information disclosure

Description :

The version of MySQL installed on the remote host is 5.5.x prior to
5.5.33. It is, therefore, potentially affected by a race condition in
the post-installation script of the MySQL server package
(mysql-server-5.5.postinst) that creates the configuration file
'/etc/mysql/debian.cnf' with world-readable permissions before
restricting the permissions. This allows local users to read the file
and obtain credentials for the privileged 'debian-sys-maint' user.

See also :

Solution :

Upgrade the MySQL server package to 5.5.33 or later on Debian / 5.5.32
or later on Ubuntu.

Risk factor :

Low / CVSS Base Score : 1.2
CVSS Temporal Score : 1.0
Public Exploit Available : true

Family: Databases

Nessus Plugin ID: 71862 ()

Bugtraq ID: 60424

CVE ID: CVE-2013-2162