CVE-2008-3963

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

MySQL 5.0 before 5.0.66, 5.1 before 5.1.26, and 6.0 before 6.0.6 does not properly handle a b'' (b single-quote single-quote) token, aka an empty bit-string literal, which allows remote attackers to cause a denial of service (daemon crash) by using this token in a SQL statement.

References

http://bugs.mysql.com/bug.php?id=35658

http://dev.mysql.com/doc/refman/5.0/en/releasenotes-es-5-0-66.html

http://dev.mysql.com/doc/refman/5.1/en/news-5-1-26.html

http://dev.mysql.com/doc/refman/6.0/en/news-6-0-6.html

http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00001.html

http://secunia.com/advisories/31769

http://secunia.com/advisories/32759

http://secunia.com/advisories/32769

http://secunia.com/advisories/34907

http://secunia.com/advisories/36566

http://www.debian.org/security/2009/dsa-1783

http://www.mandriva.com/security/advisories?name=MDVSA-2009:094

http://www.openwall.com/lists/oss-security/2008/09/09/4

http://www.openwall.com/lists/oss-security/2008/09/09/7

http://www.redhat.com/support/errata/RHSA-2009-1067.html

http://www.redhat.com/support/errata/RHSA-2009-1289.html

http://www.securitytracker.com/id?1020858

http://www.ubuntu.com/usn/USN-1397-1

http://www.ubuntu.com/usn/USN-671-1

http://www.vupen.com/english/advisories/2008/2554

https://bugs.gentoo.org/237166

https://exchange.xforce.ibmcloud.com/vulnerabilities/45042

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10521

Details

Source: MITRE

Published: 2008-09-11

Updated: 2019-12-17

Type: CWE-134

Risk Information

CVSS v2

Base Score: 4

Vector: AV:N/AC:L/Au:S/C:N/I:N/A:P

Impact Score: 2.9

Exploitability Score: 8

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:mysql:mysql:5.0.0:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:5.0.1:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:5.0.2:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:5.0.3:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:5.0.4:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:5.0.5:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:5.0.5.0.21:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:5.0.10:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:5.0.15:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:5.0.16:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:5.0.17:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:5.0.20:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:5.0.22.1.0.1:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:5.0.24:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:5.0.30:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:5.0.36:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:5.0.44:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:5.0.54:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:5.0.56:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:5.0.60:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:5.1.5:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:5.1.23:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.0:alpha:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.6:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.23:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.25:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.26:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.30:sp1:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.32:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.33:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.38:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.41:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.42:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.45:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.50:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.51:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.52:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.4:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.6:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.7:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.8:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.9:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.10:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.11:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.12:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.13:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.14:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.15:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.16:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.17:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.18:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.19:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.20:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.21:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.22:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:6.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:6.0.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:6.0.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:6.0.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:6.0.4:*:*:*:*:*:*:*

Tenable Plugins

View all (20 total)

IDNameProductFamilySeverity
63890RHEL 5 : mysql (RHSA-2009:1289)NessusRed Hat Local Security Checks
high
60655Scientific Linux Security Update : mysql on SL5.x i386/x86_64NessusScientific Linux Local Security Checks
high
58325Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.04 / 11.10 : mysql-5.1, mysql-dfsg-5.0, mysql-dfsg-5.1 vulnerabilities (USN-1397-1)NessusUbuntu Local Security Checks
high
57446GLSA-201201-02 : MySQL: Multiple vulnerabilitiesNessusGentoo Local Security Checks
high
43782CentOS 5 : mysql (CESA-2009:1289)NessusCentOS Local Security Checks
high
43045Mandriva Linux Security Advisory : mysql (MDVSA-2009:326)NessusMandriva Local Security Checks
high
40026openSUSE Security Update : libmysqlclient-devel (libmysqlclient-devel-210)NessusSuSE Local Security Checks
medium
38642Debian DSA-1783-1 : mysql-dfsg-5.0 - multiple vulnerabilitiesNessusDebian Local Security Checks
medium
37299Ubuntu 6.06 LTS / 7.10 / 8.04 LTS : mysql-dfsg-5.0 vulnerabilities (USN-671-1)NessusUbuntu Local Security Checks
medium
36943Mandriva Linux Security Advisory : mysql (MDVSA-2009:094)NessusMandriva Local Security Checks
medium
35337FreeBSD : mysql -- empty bit-string literal denial of service (66a770b4-e008-11dd-a765-0030843d3802)NessusFreeBSD Local Security Checks
medium
35248openSUSE 10 Security Update : libmysqlclient-devel (libmysqlclient-devel-5619)NessusSuSE Local Security Checks
medium
34985openSUSE 10 Security Update : mysql (mysql-5613)NessusSuSE Local Security Checks
medium
34765SuSE 10 Security Update : MySQL (ZYPP Patch Number 5618)NessusSuSE Local Security Checks
medium
34162MySQL Enterprise Server 5.0 < 5.0.66 Empty Bit-String Literal Token SQL Statement DoSNessusDatabases
medium
34161MySQL 6.0 < 6.0.6 Empty Bit-String Literal Token SQL Statement DoSNessusDatabases
medium
34160MySQL 5.1 < 5.1.26 Empty Bit-String Literal Token SQL Statement DoSNessusDatabases
medium
34159MySQL Community Server 5.0 < 5.0.67 Multiple VulnerabilitiesNessusDatabases
high
4652Oracle MySQL Empty Binary String DoSNessus Network MonitorDatabase
medium
801156MySQL Empty Binary String DoSLog Correlation EngineDatabase
medium