CVE-2009-0819

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

sql/item_xmlfunc.cc in MySQL 5.1 before 5.1.32 and 6.0 before 6.0.10 allows remote authenticated users to cause a denial of service (crash) via "an XPath expression employing a scalar expression as a FilterExpr with ExtractValue() or UpdateXML()," which triggers an assertion failure.

References

http://bugs.mysql.com/bug.php?id=42495

http://dev.mysql.com/doc/refman/5.1/en/news-5-1-32.html

http://dev.mysql.com/doc/refman/6.0/en/news-6-0-10.html

http://secunia.com/advisories/34115

http://www.securityfocus.com/bid/33972

http://www.securitytracker.com/id?1021786

http://www.vupen.com/english/advisories/2009/0594

https://exchange.xforce.ibmcloud.com/vulnerabilities/49050

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7544

Details

Source: MITRE

Published: 2009-03-05

Updated: 2019-12-17

Risk Information

CVSS v2

Base Score: 4

Vector: AV:N/AC:L/Au:S/C:N/I:N/A:P

Impact Score: 2.9

Exploitability Score: 8

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:mysql:mysql:5.1.23:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:5.1.31:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:*:*:*:*:*:*:*:* versions up to 5.1.32-bzr (inclusive)

cpe:2.3:a:mysql:mysql:6.0.9:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:6.0.10-bzr:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.10:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.11:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.12:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.13:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.14:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.15:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.16:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.17:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.18:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.19:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.20:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.21:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.22:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.23:a:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.24:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.25:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.26:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.27:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.28:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.29:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.30:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.31:sp1:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:6.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:6.0.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:6.0.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:6.0.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:6.0.4:*:*:*:*:*:*:*

Tenable Plugins

View all (6 total)

IDNameProductFamilySeverity
36020MySQL 6.0 < 6.0.10 XPath Expression DoSNessusDatabases
medium
4946MySQL Community Server 5.1 < 5.1.32 XPath Expression DoSNessus Network MonitorDatabase
medium
35766MySQL 5.1 < 5.1.32 XPath Expression DoSNessusDatabases
medium
5002Oracle MySQL 6.0 < 6.0.10 XPath Expression DoSNessus Network MonitorDatabase
medium
801132MySQL 6.0 < 6.0.10 XPath Expression DoSLog Correlation EngineDatabase
medium
801118MySQL Community Server 5.1 < 5.1.32 XPath Expression DoSLog Correlation EngineDatabase
medium