ID CVE-2006-4031
Summary MySQL 4.1 before 4.1.21 and 5.0 before 5.0.24 allows a local user to access a table through a previously created MERGE table, even after the user's privileges are revoked for the original table, which might violate intended security policy.
References
Vulnerable Configurations
  • MySQL MySQL 3.22.27
    cpe:2.3:a:mysql:mysql:3.22.27
  • MySQL MySQL 3.22.28
    cpe:2.3:a:mysql:mysql:3.22.28
  • MySQL MySQL 3.22.29
    cpe:2.3:a:mysql:mysql:3.22.29
  • MySQL MySQL 3.22.30
    cpe:2.3:a:mysql:mysql:3.22.30
  • MySQL MySQL 3.22.32
    cpe:2.3:a:mysql:mysql:3.22.32
  • MySQL MySQL 3.23
    cpe:2.3:a:mysql:mysql:3.23
  • MySQL MySQL 3.23.0 alpha
    cpe:2.3:a:mysql:mysql:3.23.0:alpha
  • MySQL MySQL 3.23.1
    cpe:2.3:a:mysql:mysql:3.23.1
  • MySQL MySQL 3.23.2
    cpe:2.3:a:mysql:mysql:3.23.2
  • MySQL MySQL 3.23.3
    cpe:2.3:a:mysql:mysql:3.23.3
  • MySQL MySQL 3.23.4
    cpe:2.3:a:mysql:mysql:3.23.4
  • MySQL MySQL 3.23.5
    cpe:2.3:a:mysql:mysql:3.23.5
  • MySQL MySQL 3.23.6
    cpe:2.3:a:mysql:mysql:3.23.6
  • MySQL MySQL 3.23.7
    cpe:2.3:a:mysql:mysql:3.23.7
  • MySQL MySQL 3.23.8
    cpe:2.3:a:mysql:mysql:3.23.8
  • MySQL MySQL 3.23.9
    cpe:2.3:a:mysql:mysql:3.23.9
  • MySQL MySQL 3.23.10
    cpe:2.3:a:mysql:mysql:3.23.10
  • MySQL MySQL 3.23.11
    cpe:2.3:a:mysql:mysql:3.23.11
  • MySQL MySQL 3.23.12
    cpe:2.3:a:mysql:mysql:3.23.12
  • MySQL MySQL 3.23.13
    cpe:2.3:a:mysql:mysql:3.23.13
  • MySQL MySQL 3.23.14
    cpe:2.3:a:mysql:mysql:3.23.14
  • MySQL MySQL 3.23.15
    cpe:2.3:a:mysql:mysql:3.23.15
  • MySQL MySQL 3.23.16
    cpe:2.3:a:mysql:mysql:3.23.16
  • MySQL MySQL 3.23.17
    cpe:2.3:a:mysql:mysql:3.23.17
  • MySQL MySQL 3.23.18
    cpe:2.3:a:mysql:mysql:3.23.18
  • MySQL MySQL 3.23.19
    cpe:2.3:a:mysql:mysql:3.23.19
  • MySQL MySQL 3.23.20 Beta
    cpe:2.3:a:mysql:mysql:3.23.20:beta
  • MySQL MySQL 3.23.21
    cpe:2.3:a:mysql:mysql:3.23.21
  • MySQL MySQL 3.23.22
    cpe:2.3:a:mysql:mysql:3.23.22
  • MySQL MySQL 3.23.23
    cpe:2.3:a:mysql:mysql:3.23.23
  • MySQL MySQL 3.23.24
    cpe:2.3:a:mysql:mysql:3.23.24
  • MySQL MySQL 3.23.25
    cpe:2.3:a:mysql:mysql:3.23.25
  • MySQL MySQL 3.23.26
    cpe:2.3:a:mysql:mysql:3.23.26
  • MySQL MySQL 3.23.27
    cpe:2.3:a:mysql:mysql:3.23.27
  • MySQL MySQL 3.23.28
    cpe:2.3:a:mysql:mysql:3.23.28
  • MySQL MySQL 3.23.28 gamma
    cpe:2.3:a:mysql:mysql:3.23.28:gamma
  • MySQL MySQL 3.23.29
    cpe:2.3:a:mysql:mysql:3.23.29
  • MySQL MySQL 3.23.30
    cpe:2.3:a:mysql:mysql:3.23.30
  • MySQL MySQL 3.23.31
    cpe:2.3:a:mysql:mysql:3.23.31
  • MySQL MySQL 3.23.32
    cpe:2.3:a:mysql:mysql:3.23.32
  • MySQL MySQL 3.23.33
    cpe:2.3:a:mysql:mysql:3.23.33
  • MySQL MySQL 3.23.34
    cpe:2.3:a:mysql:mysql:3.23.34
  • MySQL MySQL 3.23.35
    cpe:2.3:a:mysql:mysql:3.23.35
  • MySQL MySQL 3.23.36
    cpe:2.3:a:mysql:mysql:3.23.36
  • MySQL MySQL 3.23.37
    cpe:2.3:a:mysql:mysql:3.23.37
  • MySQL MySQL 3.23.38
    cpe:2.3:a:mysql:mysql:3.23.38
  • MySQL MySQL 3.23.39
    cpe:2.3:a:mysql:mysql:3.23.39
  • MySQL MySQL 3.23.40
    cpe:2.3:a:mysql:mysql:3.23.40
  • MySQL MySQL 3.23.41
    cpe:2.3:a:mysql:mysql:3.23.41
  • MySQL MySQL 3.23.42
    cpe:2.3:a:mysql:mysql:3.23.42
  • MySQL MySQL 3.23.43
    cpe:2.3:a:mysql:mysql:3.23.43
  • MySQL MySQL 3.23.44
    cpe:2.3:a:mysql:mysql:3.23.44
  • MySQL MySQL 3.23.45
    cpe:2.3:a:mysql:mysql:3.23.45
  • MySQL MySQL 3.23.46
    cpe:2.3:a:mysql:mysql:3.23.46
  • MySQL MySQL 3.23.47
    cpe:2.3:a:mysql:mysql:3.23.47
  • MySQL MySQL 3.23.48
    cpe:2.3:a:mysql:mysql:3.23.48
  • MySQL MySQL 3.23.49
    cpe:2.3:a:mysql:mysql:3.23.49
  • MySQL MySQL 3.23.50
    cpe:2.3:a:mysql:mysql:3.23.50
  • MySQL MySQL 3.23.51
    cpe:2.3:a:mysql:mysql:3.23.51
  • MySQL MySQL 3.23.52
    cpe:2.3:a:mysql:mysql:3.23.52
  • MySQL MySQL 3.23.53
    cpe:2.3:a:mysql:mysql:3.23.53
  • MySQL MySQL 3.23.53a
    cpe:2.3:a:mysql:mysql:3.23.53a
  • MySQL MySQL 3.23.54
    cpe:2.3:a:mysql:mysql:3.23.54
  • MySQL MySQL 3.23.54a
    cpe:2.3:a:mysql:mysql:3.23.54a
  • MySQL MySQL 3.23.55
    cpe:2.3:a:mysql:mysql:3.23.55
  • MySQL MySQL 3.23.56
    cpe:2.3:a:mysql:mysql:3.23.56
  • MySQL MySQL 3.23.57
    cpe:2.3:a:mysql:mysql:3.23.57
  • MySQL MySQL 3.23.58
    cpe:2.3:a:mysql:mysql:3.23.58
  • MySQL MySQL 3.23.59
    cpe:2.3:a:mysql:mysql:3.23.59
  • MySQL MySQL 4.0.0
    cpe:2.3:a:mysql:mysql:4.0.0
  • MySQL MySQL 4.0.1
    cpe:2.3:a:mysql:mysql:4.0.1
  • MySQL MySQL 4.0.2
    cpe:2.3:a:mysql:mysql:4.0.2
  • MySQL MySQL 4.0.3
    cpe:2.3:a:mysql:mysql:4.0.3
  • MySQL MySQL 4.0.4
    cpe:2.3:a:mysql:mysql:4.0.4
  • MySQL MySQL 4.0.5
    cpe:2.3:a:mysql:mysql:4.0.5
  • MySQL MySQL 4.0.5a
    cpe:2.3:a:mysql:mysql:4.0.5a
  • MySQL MySQL 4.0.6
    cpe:2.3:a:mysql:mysql:4.0.6
  • MySQL MySQL 4.0.7
    cpe:2.3:a:mysql:mysql:4.0.7
  • MySQL MySQL 4.0.7 gamma
    cpe:2.3:a:mysql:mysql:4.0.7:gamma
  • MySQL MySQL 4.0.8
    cpe:2.3:a:mysql:mysql:4.0.8
  • MySQL MySQL 4.0.8 gamma
    cpe:2.3:a:mysql:mysql:4.0.8:gamma
  • MySQL MySQL 4.0.9
    cpe:2.3:a:mysql:mysql:4.0.9
  • MySQL MySQL 4.0.9 gamma
    cpe:2.3:a:mysql:mysql:4.0.9:gamma
  • MySQL MySQL 4.0.10
    cpe:2.3:a:mysql:mysql:4.0.10
  • MySQL MySQL 4.0.11
    cpe:2.3:a:mysql:mysql:4.0.11
  • MySQL MySQL 4.0.11 gamma
    cpe:2.3:a:mysql:mysql:4.0.11:gamma
  • MySQL MySQL 4.0.12
    cpe:2.3:a:mysql:mysql:4.0.12
  • MySQL MySQL 4.0.13
    cpe:2.3:a:mysql:mysql:4.0.13
  • MySQL MySQL 4.0.14
    cpe:2.3:a:mysql:mysql:4.0.14
  • MySQL MySQL 4.0.15
    cpe:2.3:a:mysql:mysql:4.0.15
  • MySQL MySQL 4.0.16
    cpe:2.3:a:mysql:mysql:4.0.16
  • MySQL MySQL 4.0.17
    cpe:2.3:a:mysql:mysql:4.0.17
  • MySQL MySQL 4.0.18
    cpe:2.3:a:mysql:mysql:4.0.18
  • MySQL MySQL 4.0.19
    cpe:2.3:a:mysql:mysql:4.0.19
  • MySQL MySQL 4.0.20
    cpe:2.3:a:mysql:mysql:4.0.20
  • MySQL MySQL 4.0.21
    cpe:2.3:a:mysql:mysql:4.0.21
  • MySQL MySQL 4.0.23
    cpe:2.3:a:mysql:mysql:4.0.23
  • MySQL MySQL 4.0.24
    cpe:2.3:a:mysql:mysql:4.0.24
  • MySQL MySQL 4.0.25
    cpe:2.3:a:mysql:mysql:4.0.25
  • MySQL MySQL 4.0.26
    cpe:2.3:a:mysql:mysql:4.0.26
  • MySQL MySQL 4.0.27
    cpe:2.3:a:mysql:mysql:4.0.27
  • MySQL MySQL 4.1
    cpe:2.3:a:mysql:mysql:4.1
  • MySQL MySQL 4.1.0
    cpe:2.3:a:mysql:mysql:4.1.0
  • MySQL MySQL 4.1.0 alpha
    cpe:2.3:a:mysql:mysql:4.1.0:alpha
  • MySQL MySQL 4.1.0.0
    cpe:2.3:a:mysql:mysql:4.1.0.0
  • MySQL MySQL 4.1.1
    cpe:2.3:a:mysql:mysql:4.1.1
  • MySQL MySQL 4.1.2
    cpe:2.3:a:mysql:mysql:4.1.2
  • MySQL MySQL 4.1.2 alpha
    cpe:2.3:a:mysql:mysql:4.1.2:alpha
  • MySQL MySQL 4.1.3
    cpe:2.3:a:mysql:mysql:4.1.3
  • MySQL MySQL 4.1.3 beta
    cpe:2.3:a:mysql:mysql:4.1.3:beta
  • MySQL MySQL 4.1.4
    cpe:2.3:a:mysql:mysql:4.1.4
  • MySQL MySQL 4.1.5
    cpe:2.3:a:mysql:mysql:4.1.5
  • MySQL MySQL 4.1.6
    cpe:2.3:a:mysql:mysql:4.1.6
  • MySQL MySQL 4.1.7
    cpe:2.3:a:mysql:mysql:4.1.7
  • MySQL MySQL 4.1.8
    cpe:2.3:a:mysql:mysql:4.1.8
  • MySQL MySQL 4.1.8a
    cpe:2.3:a:mysql:mysql:4.1.8a
  • MySQL MySQL 4.1.9
    cpe:2.3:a:mysql:mysql:4.1.9
  • MySQL MySQL 4.1.10
    cpe:2.3:a:mysql:mysql:4.1.10
  • MySQL MySQL 4.1.10a
    cpe:2.3:a:mysql:mysql:4.1.10a
  • MySQL MySQL 4.1.11
    cpe:2.3:a:mysql:mysql:4.1.11
  • MySQL MySQL 4.1.12
    cpe:2.3:a:mysql:mysql:4.1.12
  • MySQL MySQL 4.1.12a
    cpe:2.3:a:mysql:mysql:4.1.12a
  • MySQL MySQL 4.1.13
    cpe:2.3:a:mysql:mysql:4.1.13
  • MySQL MySQL 4.1.13a
    cpe:2.3:a:mysql:mysql:4.1.13a
  • MySQL MySQL 4.1.14
    cpe:2.3:a:mysql:mysql:4.1.14
  • MySQL MySQL 4.1.14a
    cpe:2.3:a:mysql:mysql:4.1.14a
  • MySQL MySQL 4.1.15
    cpe:2.3:a:mysql:mysql:4.1.15
  • MySQL MySQL 4.1.15a
    cpe:2.3:a:mysql:mysql:4.1.15a
  • MySQL MySQL 4.1.16
    cpe:2.3:a:mysql:mysql:4.1.16
  • MySQL MySQL 4.1.17
    cpe:2.3:a:mysql:mysql:4.1.17
  • MySQL MySQL 4.1.18
    cpe:2.3:a:mysql:mysql:4.1.18
  • MySQL MySQL 4.1.19
    cpe:2.3:a:mysql:mysql:4.1.19
  • MySQL MySQL 4.1.20
    cpe:2.3:a:mysql:mysql:4.1.20
  • MySQL 5.0
    cpe:2.3:a:mysql:mysql:5.0
  • MySQL MySQL 5.0.0 alpha
    cpe:2.3:a:mysql:mysql:5.0.0:alpha
  • MySQL MySQL 5.0.0.0
    cpe:2.3:a:mysql:mysql:5.0.0.0
  • MySQL MySQL 5.0.1
    cpe:2.3:a:mysql:mysql:5.0.1
  • MySQL MySQL 5.0.1a
    cpe:2.3:a:mysql:mysql:5.0.1a
  • MySQL MySQL 5.0.2
    cpe:2.3:a:mysql:mysql:5.0.2
  • MySQL MySQL 5.0.3
    cpe:2.3:a:mysql:mysql:5.0.3
  • MySQL MySQL 5.0.3 Beta
    cpe:2.3:a:mysql:mysql:5.0.3:beta
  • MySQL MySQL 5.0.3a
    cpe:2.3:a:mysql:mysql:5.0.3a
  • MySQL MySQL 5.0.4
    cpe:2.3:a:mysql:mysql:5.0.4
  • MySQL MySQL 5.0.4a
    cpe:2.3:a:mysql:mysql:5.0.4a
  • MySQL MySQL 5.0.5
    cpe:2.3:a:mysql:mysql:5.0.5
  • cpe:2.3:a:mysql:mysql:5.0.5.0.21
    cpe:2.3:a:mysql:mysql:5.0.5.0.21
  • MySQL MySQL 5.0.6
    cpe:2.3:a:mysql:mysql:5.0.6
  • MySQL MySQL 5.0.7
    cpe:2.3:a:mysql:mysql:5.0.7
  • MySQL MySQL 5.0.8
    cpe:2.3:a:mysql:mysql:5.0.8
  • MySQL MySQL 5.0.9
    cpe:2.3:a:mysql:mysql:5.0.9
  • MySQL MySQL 5.0.10
    cpe:2.3:a:mysql:mysql:5.0.10
  • MySQL MySQL 5.0.10a
    cpe:2.3:a:mysql:mysql:5.0.10a
  • MySQL MySQL 5.0.11
    cpe:2.3:a:mysql:mysql:5.0.11
  • MySQL MySQL 5.0.12
    cpe:2.3:a:mysql:mysql:5.0.12
  • MySQL MySQL 5.0.13
    cpe:2.3:a:mysql:mysql:5.0.13
  • MySQL MySQL 5.0.14
    cpe:2.3:a:mysql:mysql:5.0.14
  • MySQL MySQL 5.0.15
    cpe:2.3:a:mysql:mysql:5.0.15
  • MySQL MySQL 5.0.15a
    cpe:2.3:a:mysql:mysql:5.0.15a
  • MySQL MySQL 5.0.16
    cpe:2.3:a:mysql:mysql:5.0.16
  • MySQL MySQL 5.0.16a
    cpe:2.3:a:mysql:mysql:5.0.16a
  • MySQL MySQL 5.0.17
    cpe:2.3:a:mysql:mysql:5.0.17
  • MySQL MySQL 5.0.17a
    cpe:2.3:a:mysql:mysql:5.0.17a
  • MySQL MySQL 5.0.18
    cpe:2.3:a:mysql:mysql:5.0.18
  • MySQL MySQL 5.0.19
    cpe:2.3:a:mysql:mysql:5.0.19
  • MySQL MySQL 5.0.20
    cpe:2.3:a:mysql:mysql:5.0.20
  • MySQL MySQL 5.0.20a
    cpe:2.3:a:mysql:mysql:5.0.20a
  • MySQL MySQL 5.0.21
    cpe:2.3:a:mysql:mysql:5.0.21
  • MySQL MySQL 5.0.22
    cpe:2.3:a:mysql:mysql:5.0.22
  • cpe:2.3:a:mysql:mysql:5.0.22.1.0.1
    cpe:2.3:a:mysql:mysql:5.0.22.1.0.1
CVSS
Base: 2.1 (as of 10-08-2006 - 09:31)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id SUSE_MYSQL-2075.NASL
    description This update of mysql fixes several security vulnerabilities. (CVE-2006-4031,CVE-2006-4226,CVE-2006-4227)
    last seen 2018-09-01
    modified 2018-07-19
    plugin id 27358
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27358
    title openSUSE 10 Security Update : mysql (mysql-2075)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-338-1.NASL
    description Dmitri Lenev discovered that arguments of setuid SQL functions were evaluated in the security context of the functions' definer instead of its caller. An authenticated user with the privilege to call such a function could exploit this to execute arbitrary statements with the privileges of the definer of that function. (CVE-2006-4227) Peter Gulutzan reported a potentially confusing situation of the MERGE table engine. If an user creates a merge table, and the administrator later revokes privileges on the original table only (without changing the privileges on the merge table), that user still has access to the data by using the merge table. This is intended behaviour, but might be undesirable in some installations; this update introduces a new server option '--skip-merge' which disables the MERGE engine completely. (CVE-2006-4031). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 27917
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27917
    title Ubuntu 6.06 LTS : mysql-dfsg-5.0 vulnerabilities (USN-338-1)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2006-149.NASL
    description MySQL 4.1 before 4.1.21 and 5.0 before 5.0.24 allows a local user to access a table through a previously created MERGE table, even after the user's privileges are revoked for the original table, which might violate intended security policy (CVE-2006-4031). The update allows the local admin to override MERGE using the '--skip-merge' option when running mysqld. This can be defined under MYSQLD_OPTIONS in /etc/sysconfig/mysqld. If '--skip-merge' is not used, the old behaviour of MERGE tables is still used. MySQL 4.1 before 4.1.21, 5.0 before 5.0.25, and 5.1 before 5.1.12, when run on case-sensitive filesystems, allows remote authenticated users to create or access a database when the database name differs only in case from a database for which they have permissions (CVE-2006-4226). Packages have been patched to correct these issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 23896
    published 2006-12-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23896
    title Mandrake Linux Security Advisory : MySQL (MDKSA-2006:149)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_10_4_9.NASL
    description The remote host is running a version of Mac OS X 10.4 which is older than version 10.4.9 or a version of Mac OS X 10.3 which does not have Security Update 2007-003 applied. This update contains several security fixes for the following programs : - ColorSync - CoreGraphics - Crash Reporter - CUPS - Disk Images - DS Plugins - Flash Player - GNU Tar - HFS - HID Family - ImageIO - Kernel - MySQL server - Networking - OpenSSH - Printing - QuickDraw Manager - servermgrd - SMB File Server - Software Update - sudo - WebLog
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 24811
    published 2007-03-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24811
    title Mac OS X < 10.4.9 Multiple Vulnerabilities (Security Update 2007-003)
  • NASL family Databases
    NASL id MYSQL_5_0_24.NASL
    description The version of MySQL installed on the remote host is earlier than 4.1.21 / 5.0.24 and thus reportedly allows a local user to access a table after his privileges on it were revoked.
    last seen 2019-02-21
    modified 2018-07-16
    plugin id 17802
    published 2012-01-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17802
    title MySQL < 4.1.21 / 5.0.24 Privilege Persistence
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2008-0768.NASL
    description Updated mysql packages that fix various security issues, several bugs, and add an enhancement are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon (mysqld), and many different client programs and libraries. MySQL did not correctly check directories used as arguments for the DATA DIRECTORY and INDEX DIRECTORY directives. Using this flaw, an authenticated attacker could elevate their access privileges to tables created by other database users. Note: this attack does not work on existing tables. An attacker can only elevate their access to another user's tables as the tables are created. As well, the names of these created tables need to be predicted correctly for this attack to succeed. (CVE-2008-2079) MySQL did not require the 'DROP' privilege for 'RENAME TABLE' statements. An authenticated user could use this flaw to rename arbitrary tables. (CVE-2007-2691) MySQL allowed an authenticated user to access a table through a previously created MERGE table, even after the user's privileges were revoked from the original table, which might violate intended security policy. This is addressed by allowing the MERGE storage engine to be disabled, which can be done by running mysqld with the '--skip-merge' option. (CVE-2006-4031) A flaw in MySQL allowed an authenticated user to cause the MySQL daemon to crash via crafted SQL queries. This only caused a temporary denial of service, as the MySQL daemon is automatically restarted after the crash. (CVE-2006-3469) As well, these updated packages fix the following bugs : * in the previous mysql packages, if a column name was referenced more than once in an 'ORDER BY' section of a query, a segmentation fault occurred. * when MySQL failed to start, the init script returned a successful (0) exit code. When using the Red Hat Cluster Suite, this may have caused cluster services to report a successful start, even when MySQL failed to start. In these updated packages, the init script returns the correct exit codes, which resolves this issue. * it was possible to use the mysqld_safe command to specify invalid port numbers (higher than 65536), causing invalid ports to be created, and, in some cases, a 'port number definition: unsigned short' error. In these updated packages, when an invalid port number is specified, the default port number is used. * when setting 'myisam_repair_threads > 1', any repair set the index cardinality to '1', regardless of the table size. * the MySQL init script no longer runs 'chmod -R' on the entire database directory tree during every startup. * when running 'mysqldump' with the MySQL 4.0 compatibility mode option, '--compatible=mysql40', mysqldump created dumps that omitted the 'auto_increment' field. As well, the MySQL init script now uses more reliable methods for determining parameters, such as the data directory location. Note: these updated packages upgrade MySQL to version 4.1.22. For a full list of bug fixes and enhancements, refer to the MySQL release notes: http://dev.mysql.com/doc/refman/4.1/en/news-4-1-22.html All mysql users are advised to upgrade to these updated packages, which resolve these issues and add this enhancement.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 33585
    published 2008-07-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=33585
    title RHEL 4 : mysql (RHSA-2008:0768)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20080521_MYSQL_ON_SL5_X.NASL
    description MySQL did not require privileges such as 'SELECT' for the source table in a 'CREATE TABLE LIKE' statement. An authenticated user could obtain sensitive information, such as the table structure. (CVE-2007-3781) A flaw was discovered in MySQL that allowed an authenticated user to gain update privileges for a table in another database, via a view that refers to the external table. (CVE-2007-3782) MySQL did not require the 'DROP' privilege for 'RENAME TABLE' statements. An authenticated user could use this flaw to rename arbitrary tables. (CVE-2007-2691) A flaw was discovered in the mysql_change_db function when returning from SQL SECURITY INVOKER stored routines. An authenticated user could use this flaw to gain database privileges. (CVE-2007-2692) MySQL allowed an authenticated user to bypass logging mechanisms via SQL queries that contain the NULL character, which were not properly handled by the mysql_real_query function. (CVE-2006-0903) MySQL allowed an authenticated user to access a table through a previously created MERGE table, even after the user's privileges were revoked from the original table, which might violate intended security policy. This is addressed by allowing the MERGE storage engine to be disabled, which can be done by running mysqld with the '--skip-merge' option. (CVE-2006-4031) MySQL evaluated arguments in the wrong security context, which allowed an authenticated user to gain privileges through a routine that had been made available using 'GRANT EXECUTE'. (CVE-2006-4227) Multiple flaws in MySQL allowed an authenticated user to cause the MySQL daemon to crash via crafted SQL queries. This only caused a temporary denial of service, as the MySQL daemon is automatically restarted after the crash. (CVE-2006-7232, CVE-2007-1420, CVE-2007-2583) As well, these updated packages fix the following bugs : - a separate counter was used for 'insert delayed' statements, which caused rows to be discarded. In these updated packages, 'insert delayed' statements no longer use a separate counter, which resolves this issue. - due to a bug in the Native POSIX Thread Library, in certain situations, 'flush tables' caused a deadlock on tables that had a read lock. The mysqld daemon had to be killed forcefully. Now, 'COND_refresh' has been replaced with 'COND_global_read_lock', which resolves this issue. - mysqld crashed if a query for an unsigned column type contained a negative value for a 'WHERE [column] NOT IN' subquery. - in master and slave server situations, specifying 'on duplicate key update' for 'insert' statements did not update slave servers. - in the mysql client, empty strings were displayed as 'NULL'. For example, running 'insert into [table-name] values (' ');' resulted in a 'NULL' entry being displayed when querying the table using 'select * from [table-name];'. - a bug in the optimizer code resulted in certain queries executing much slower than expected. - on 64-bit PowerPC architectures, MySQL did not calculate the thread stack size correctly, which could have caused MySQL to crash when overly-complex queries were used. Note: these updated packages upgrade MySQL to version 5.0.45. For a full list of bug fixes and enhancements, refer to the MySQL release notes: http://dev.mysql.com/doc/refman/5.0/en/releasenotes-cs-5-0.html
    last seen 2019-02-21
    modified 2019-01-07
    plugin id 60406
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60406
    title Scientific Linux Security Update : mysql on SL5.x i386/x86_64
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20080724_MYSQL_ON_SL4_X.NASL
    description MySQL did not correctly check directories used as arguments for the DATA DIRECTORY and INDEX DIRECTORY directives. Using this flaw, an authenticated attacker could elevate their access privileges to tables created by other database users. Note: this attack does not work on existing tables. An attacker can only elevate their access to another user's tables as the tables are created. As well, the names of these created tables need to be predicted correctly for this attack to succeed. (CVE-2008-2079) MySQL did not require the 'DROP' privilege for 'RENAME TABLE' statements. An authenticated user could use this flaw to rename arbitrary tables. (CVE-2007-2691) MySQL allowed an authenticated user to access a table through a previously created MERGE table, even after the user's privileges were revoked from the original table, which might violate intended security policy. This is addressed by allowing the MERGE storage engine to be disabled, which can be done by running mysqld with the '--skip-merge' option. (CVE-2006-4031) A flaw in MySQL allowed an authenticated user to cause the MySQL daemon to crash via crafted SQL queries. This only caused a temporary denial of service, as the MySQL daemon is automatically restarted after the crash. (CVE-2006-3469) As well, these updated packages fix the following bugs : - in the previous mysql packages, if a column name was referenced more than once in an 'ORDER BY' section of a query, a segmentation fault occurred. - when MySQL failed to start, the init script returned a successful (0) exit code. When using the Red Hat Cluster Suite, this may have caused cluster services to report a successful start, even when MySQL failed to start. In these updated packages, the init script returns the correct exit codes, which resolves this issue. - it was possible to use the mysqld_safe command to specify invalid port numbers (higher than 65536), causing invalid ports to be created, and, in some cases, a 'port number definition: unsigned short' error. In these updated packages, when an invalid port number is specified, the default port number is used. - when setting 'myisam_repair_threads > 1', any repair set the index cardinality to '1', regardless of the table size. - the MySQL init script no longer runs 'chmod -R' on the entire database directory tree during every startup. - when running 'mysqldump' with the MySQL 4.0 compatibility mode option, '--compatible=mysql40', mysqldump created dumps that omitted the 'auto_increment' field. As well, the MySQL init script now uses more reliable methods for determining parameters, such as the data directory location. Note: these updated packages upgrade MySQL to version 4.1.22. For a full list of bug fixes and enhancements, refer to the MySQL release notes: http://dev.mysql.com/doc/refman/4.1/en/news-4-1-22.html
    last seen 2019-02-21
    modified 2019-01-07
    plugin id 60451
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60451
    title Scientific Linux Security Update : mysql on SL4.x i386/x86_64
  • NASL family SuSE Local Security Checks
    NASL id SUSE_MYSQL-2073.NASL
    description This update of mysql fixes several security vulnerabilities. (CVE-2006-4031 / CVE-2006-4226 / CVE-2006-4227)
    last seen 2018-09-01
    modified 2012-05-17
    plugin id 29524
    published 2007-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29524
    title SuSE 10 Security Update : mysql (ZYPP Patch Number 2073)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2008-0364.NASL
    description Updated mysql packages that fix various security issues and several bugs are now available for Red Hat Enterprise Linux 5. This update has been rated as having low security impact by the Red Hat Security Response Team. MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon (mysqld), and many different client programs and libraries. MySQL did not require privileges such as 'SELECT' for the source table in a 'CREATE TABLE LIKE' statement. An authenticated user could obtain sensitive information, such as the table structure. (CVE-2007-3781) A flaw was discovered in MySQL that allowed an authenticated user to gain update privileges for a table in another database, via a view that refers to the external table. (CVE-2007-3782) MySQL did not require the 'DROP' privilege for 'RENAME TABLE' statements. An authenticated user could use this flaw to rename arbitrary tables. (CVE-2007-2691) A flaw was discovered in the mysql_change_db function when returning from SQL SECURITY INVOKER stored routines. An authenticated user could use this flaw to gain database privileges. (CVE-2007-2692) MySQL allowed an authenticated user to bypass logging mechanisms via SQL queries that contain the NULL character, which were not properly handled by the mysql_real_query function. (CVE-2006-0903) MySQL allowed an authenticated user to access a table through a previously created MERGE table, even after the user's privileges were revoked from the original table, which might violate intended security policy. This is addressed by allowing the MERGE storage engine to be disabled, which can be done by running mysqld with the '--skip-merge' option. (CVE-2006-4031) MySQL evaluated arguments in the wrong security context, which allowed an authenticated user to gain privileges through a routine that had been made available using 'GRANT EXECUTE'. (CVE-2006-4227) Multiple flaws in MySQL allowed an authenticated user to cause the MySQL daemon to crash via crafted SQL queries. This only caused a temporary denial of service, as the MySQL daemon is automatically restarted after the crash. (CVE-2006-7232, CVE-2007-1420, CVE-2007-2583) As well, these updated packages fix the following bugs : * a separate counter was used for 'insert delayed' statements, which caused rows to be discarded. In these updated packages, 'insert delayed' statements no longer use a separate counter, which resolves this issue. * due to a bug in the Native POSIX Thread Library, in certain situations, 'flush tables' caused a deadlock on tables that had a read lock. The mysqld daemon had to be killed forcefully. Now, 'COND_refresh' has been replaced with 'COND_global_read_lock', which resolves this issue. * mysqld crashed if a query for an unsigned column type contained a negative value for a 'WHERE [column] NOT IN' subquery. * in master and slave server situations, specifying 'on duplicate key update' for 'insert' statements did not update slave servers. * in the mysql client, empty strings were displayed as 'NULL'. For example, running 'insert into [table-name] values (' ');' resulted in a 'NULL' entry being displayed when querying the table using 'select * from [table-name];'. * a bug in the optimizer code resulted in certain queries executing much slower than expected. * on 64-bit PowerPC architectures, MySQL did not calculate the thread stack size correctly, which could have caused MySQL to crash when overly-complex queries were used. Note: these updated packages upgrade MySQL to version 5.0.45. For a full list of bug fixes and enhancements, refer to the MySQL release notes: http://dev.mysql.com/doc/refman/5.0/en/releasenotes-cs-5-0.html All mysql users are advised to upgrade to these updated packages, which resolve these issues.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 32425
    published 2008-05-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=32425
    title RHEL 5 : mysql (RHSA-2008:0364)
oval via4
accepted 2013-04-29T04:05:55.346-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description MySQL 4.1 before 4.1.21 and 5.0 before 5.0.24 allows a local user to access a table through a previously created MERGE table, even after the user's privileges are revoked for the original table, which might violate intended security policy.
family unix
id oval:org.mitre.oval:def:10468
status accepted
submitted 2010-07-09T03:56:16-04:00
title MySQL 4.1 before 4.1.21 and 5.0 before 5.0.24 allows a local user to access a table through a previously created MERGE table, even after the user's privileges are revoked for the original table, which might violate intended security policy.
version 24
redhat via4
advisories
  • rhsa
    id RHSA-2007:0083
  • rhsa
    id RHSA-2008:0364
  • rhsa
    id RHSA-2008:0768
rpms
  • mysql-0:5.0.45-7.el5
  • mysql-bench-0:5.0.45-7.el5
  • mysql-devel-0:5.0.45-7.el5
  • mysql-server-0:5.0.45-7.el5
  • mysql-test-0:5.0.45-7.el5
  • mysql-0:4.1.22-2.el4
  • mysql-bench-0:4.1.22-2.el4
  • mysql-devel-0:4.1.22-2.el4
  • mysql-server-0:4.1.22-2.el4
refmap via4
apple APPLE-SA-2007-03-13
bid 19279
cert TA07-072A
confirm
mandriva MDKSA-2006:149
misc http://bugs.mysql.com/bug.php?id=15195
sectrack 1016617
secunia
  • 21259
  • 21382
  • 21627
  • 21685
  • 21770
  • 22080
  • 24479
  • 30351
  • 31226
suse SUSE-SR:2006:023
ubuntu USN-338-1
vupen
  • ADV-2006-3079
  • ADV-2007-0930
statements via4
contributor Mark J Cox
lastmodified 2008-07-25
organization Red Hat
statement This issue was corrected in all affected mysql packages versions as shipped in Red Hat Enterprise Linux or Red Hat Application Stack via: https://rhn.redhat.com/errata/CVE-2006-4031.html This issue did not affect mysql packages as shipped with Red Hat Enterprise Linux 2.1 or 3
Last major update 07-03-2011 - 21:40
Published 09-08-2006 - 18:04
Last modified 10-10-2017 - 21:31
Back to Top