Detections
Analytics

GLSA-200503-19 : MySQL: Multiple vulnerabilities

medium Nessus Plugin ID 17344

Synopsis

The remote Gentoo host is missing one or more security-related patches.

Description

The remote host is affected by the vulnerability described in GLSA-200503-19 (MySQL: Multiple vulnerabilities)

 MySQL fails to properly validate input for authenticated users with INSERT and DELETE privileges (CAN-2005-0709 and CAN-2005-0710).
 Furthermore MySQL uses predictable filenames when creating temporary files with CREATE TEMPORARY TABLE (CAN-2005-0711).
 Impact :

 An attacker with INSERT and DELETE privileges could exploit this to manipulate the mysql table or accessing libc calls, potentially leading to the execution of arbitrary code with the permissions of the user running MySQL. An attacker with CREATE TEMPORARY TABLE privileges could exploit this to overwrite arbitrary files via a symlink attack.
 Workaround :

 There is no known workaround at this time.

Solution

All MySQL users should upgrade to the latest version:
 # emerge --sync # emerge --ask --oneshot --verbose '>=dev-db/mysql-4.0.24'

See Also

https://security.gentoo.org/glsa/200503-19

Plugin Details

Severity: Medium

ID: 17344

File Name: gentoo_GLSA-200503-19.nasl

Version: 1.16

Type: local

Published: 3/17/2005

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.3

CVSS v2

Risk Factor: Medium

Base Score: 4.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:gentoo:linux:mysql, cpe:/o:gentoo:linux

Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list

Patch Publication Date: 3/16/2005

Vulnerability Publication Date: 3/11/2005

Reference Information

CVE: CVE-2005-0709, CVE-2005-0710, CVE-2005-0711

GLSA: 200503-19