CVE-2009-2446

HIGH
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Multiple format string vulnerabilities in the dispatch_command function in libmysqld/sql_parse.cc in mysqld in MySQL 4.0.0 through 5.0.83 allow remote authenticated users to cause a denial of service (daemon crash) and possibly have unspecified other impact via format string specifiers in a database name in a (1) COM_CREATE_DB or (2) COM_DROP_DB request. NOTE: some of these details are obtained from third party information.

References

http://archives.neohapsis.com/archives/fulldisclosure/2009-07/0058.html

http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html

http://secunia.com/advisories/35767

http://secunia.com/advisories/36566

http://secunia.com/advisories/38517

http://securitytracker.com/id?1022533

http://support.apple.com/kb/HT4077

http://ubuntu.com/usn/usn-897-1

http://www.mandriva.com/security/advisories?name=MDVSA-2009:179

http://www.osvdb.org/55734

http://www.redhat.com/support/errata/RHSA-2009-1289.html

http://www.redhat.com/support/errata/RHSA-2010-0110.html

http://www.securityfocus.com/archive/1/504799/100/0/threaded

http://www.securityfocus.com/bid/35609

http://www.ubuntu.com/usn/USN-1397-1

http://www.vupen.com/english/advisories/2009/1857

https://exchange.xforce.ibmcloud.com/vulnerabilities/51614

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11857

Details

Source: MITRE

Published: 2009-07-13

Updated: 2019-12-17

Type: CWE-134

Risk Information

CVSS v2

Base Score: 8.5

Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C

Impact Score: 10

Exploitability Score: 6.8

Severity: HIGH

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:mysql:mysql:4.1.0:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:4.1.2:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:4.1.3:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:4.1.8:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:4.1.10:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:4.1.12:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:4.1.13:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:4.1.14:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:4.1.15:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:4.1.23:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:5.0.0:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:5.0.1:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:5.0.2:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:5.0.3:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:5.0.4:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:5.0.5:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:5.0.5.0.21:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:5.0.10:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:5.0.15:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:5.0.16:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:5.0.17:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:5.0.20:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:5.0.22.1.0.1:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:5.0.24:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:5.0.30:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:5.0.36:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:5.0.44:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:5.0.54:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:5.0.56:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:5.0.60:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:5.0.66:*:*:*:*:*:*:*

cpe:2.3:a:mysql:mysql:5.0.82:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.0.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.0.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.0.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.0.4:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.0.5:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.0.5a:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.0.6:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.0.7:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.0.7:gamma:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.0.8:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.0.8:gamma:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.0.9:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.0.9:gamma:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.0.10:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.0.11:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.0.11:gamma:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.0.12:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.0.13:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.0.14:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.0.15:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.0.16:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.0.17:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.0.18:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.0.19:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.0.20:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.0.21:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.0.23:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.0.24:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.0.25:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.0.26:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.0.27:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.1.0:alpha:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.1.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.1.2:alpha:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.1.3:beta:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.1.4:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.1.5:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.1.6:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.1.7:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.1.9:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.1.11:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.1.16:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.1.17:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.1.18:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.1.19:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.1.20:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.1.21:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:4.1.22:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.0:alpha:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.3:beta:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.6:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.7:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.8:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.9:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.11:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.12:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.13:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.14:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.18:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.19:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.21:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.22:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.23:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.25:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.26:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.27:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.30:sp1:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.32:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.33:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.37:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.38:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.41:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.42:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.45:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.50:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.51:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.51a:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.52:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.75:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.77:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.81:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.0.83:*:*:*:*:*:*:*

Tenable Plugins

View all (22 total)

IDNameProductFamilySeverity
67998Oracle Linux 4 : mysql (ELSA-2010-0110)NessusOracle Linux Local Security Checks
high
63890RHEL 5 : mysql (RHSA-2009:1289)NessusRed Hat Local Security Checks
high
60735Scientific Linux Security Update : mysql on SL4.x i386/x86_64NessusScientific Linux Local Security Checks
high
60655Scientific Linux Security Update : mysql on SL5.x i386/x86_64NessusScientific Linux Local Security Checks
high
58325Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.04 / 11.10 : mysql-5.1, mysql-dfsg-5.0, mysql-dfsg-5.1 vulnerabilities (USN-1397-1)NessusUbuntu Local Security Checks
high
17804MySQL < 5.0.83 Denial of ServiceNessusDatabases
high
57446GLSA-201201-02 : MySQL: Multiple vulnerabilitiesNessusGentoo Local Security Checks
high
5489Mac OS X < 10.6.3 Multiple VulnerabilitiesNessus Network MonitorGeneric
critical
45372Mac OS X 10.6.x < 10.6.3 Multiple VulnerabilitiesNessusMacOS X Local Security Checks
critical
44742Debian DSA-1877-1 : mysql-dfsg-5.0 - denial of service/execution of arbitrary codeNessusDebian Local Security Checks
high
44647CentOS 4 : mysql (CESA-2010:0110)NessusCentOS Local Security Checks
high
44635RHEL 4 : mysql (RHSA-2010:0110)NessusRed Hat Local Security Checks
high
44585Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 / 9.10 : mysql-dfsg-5.0, mysql-dfsg-5.1 vulnerabilities (USN-897-1)NessusUbuntu Local Security Checks
high
43782CentOS 5 : mysql (CESA-2009:1289)NessusCentOS Local Security Checks
high
43045Mandriva Linux Security Advisory : mysql (MDVSA-2009:326)NessusMandriva Local Security Checks
high
42015openSUSE 10 Security Update : libmysqlclient-devel (libmysqlclient-devel-6360)NessusSuSE Local Security Checks
high
41560SuSE 10 Security Update : MySQL (ZYPP Patch Number 6446)NessusSuSE Local Security Checks
high
41421SuSE 11 Security Update : MySQL (SAT Patch Number 1114)NessusSuSE Local Security Checks
high
41313SuSE9 Security Update : MySQL (YOU Patch Number 12456)NessusSuSE Local Security Checks
high
40790openSUSE Security Update : libmysqlclient-devel (libmysqlclient-devel-1116)NessusSuSE Local Security Checks
high
40784openSUSE Security Update : libmysqlclient-devel (libmysqlclient-devel-1116)NessusSuSE Local Security Checks
high
40397Mandriva Linux Security Advisory : mysql (MDVSA-2009:159)NessusMandriva Local Security Checks
high