ID CVE-2007-1420
Summary MySQL 5.x before 5.0.36 allows local users to cause a denial of service (database crash) by performing information_schema table subselects and using ORDER BY to sort a single-row result, which prevents certain structure elements from being initialized and triggers a NULL dereference in the filesort function.
References
Vulnerable Configurations
  • MySQL 5.0
    cpe:2.3:a:mysql:mysql:5.0
  • MySQL MySQL 5.0.0
    cpe:2.3:a:mysql:mysql:5.0.0
  • MySQL MySQL 5.0.0 alpha
    cpe:2.3:a:mysql:mysql:5.0.0:alpha
  • MySQL MySQL 5.0.0.0
    cpe:2.3:a:mysql:mysql:5.0.0.0
  • MySQL MySQL 5.0.1
    cpe:2.3:a:mysql:mysql:5.0.1
  • MySQL MySQL 5.0.1a
    cpe:2.3:a:mysql:mysql:5.0.1a
  • MySQL MySQL 5.0.2
    cpe:2.3:a:mysql:mysql:5.0.2
  • MySQL MySQL 5.0.3
    cpe:2.3:a:mysql:mysql:5.0.3
  • MySQL MySQL 5.0.3 Beta
    cpe:2.3:a:mysql:mysql:5.0.3:beta
  • MySQL MySQL 5.0.3a
    cpe:2.3:a:mysql:mysql:5.0.3a
  • MySQL MySQL 5.0.4
    cpe:2.3:a:mysql:mysql:5.0.4
  • MySQL MySQL 5.0.4a
    cpe:2.3:a:mysql:mysql:5.0.4a
  • MySQL MySQL 5.0.5
    cpe:2.3:a:mysql:mysql:5.0.5
  • MySQL MySQL 5.0.6
    cpe:2.3:a:mysql:mysql:5.0.6
  • MySQL MySQL 5.0.7
    cpe:2.3:a:mysql:mysql:5.0.7
  • MySQL MySQL 5.0.8
    cpe:2.3:a:mysql:mysql:5.0.8
  • MySQL MySQL 5.0.9
    cpe:2.3:a:mysql:mysql:5.0.9
  • MySQL MySQL 5.0.10
    cpe:2.3:a:mysql:mysql:5.0.10
  • MySQL MySQL 5.0.10a
    cpe:2.3:a:mysql:mysql:5.0.10a
  • MySQL MySQL 5.0.11
    cpe:2.3:a:mysql:mysql:5.0.11
  • MySQL MySQL 5.0.12
    cpe:2.3:a:mysql:mysql:5.0.12
  • MySQL MySQL 5.0.13
    cpe:2.3:a:mysql:mysql:5.0.13
  • MySQL MySQL 5.0.14
    cpe:2.3:a:mysql:mysql:5.0.14
  • MySQL MySQL 5.0.15
    cpe:2.3:a:mysql:mysql:5.0.15
  • MySQL MySQL 5.0.15a
    cpe:2.3:a:mysql:mysql:5.0.15a
  • MySQL MySQL 5.0.16
    cpe:2.3:a:mysql:mysql:5.0.16
  • MySQL MySQL 5.0.16a
    cpe:2.3:a:mysql:mysql:5.0.16a
  • MySQL MySQL 5.0.17
    cpe:2.3:a:mysql:mysql:5.0.17
  • MySQL MySQL 5.0.17a
    cpe:2.3:a:mysql:mysql:5.0.17a
  • MySQL MySQL 5.0.18
    cpe:2.3:a:mysql:mysql:5.0.18
  • MySQL MySQL 5.0.19
    cpe:2.3:a:mysql:mysql:5.0.19
  • MySQL MySQL 5.0.20
    cpe:2.3:a:mysql:mysql:5.0.20
  • MySQL MySQL 5.0.20a
    cpe:2.3:a:mysql:mysql:5.0.20a
  • MySQL MySQL 5.0.21
    cpe:2.3:a:mysql:mysql:5.0.21
  • MySQL MySQL 5.0.22
    cpe:2.3:a:mysql:mysql:5.0.22
  • MySQL MySQL 5.0.24
    cpe:2.3:a:mysql:mysql:5.0.24
  • MySQL MySQL 5.0.27
    cpe:2.3:a:mysql:mysql:5.0.27
  • MySQL 5.0.30
    cpe:2.3:a:mysql:mysql:5.0.30
  • MySQL 5.0.32
    cpe:2.3:a:mysql:mysql:5.0.32
  • MySQL MySQL 5.0.33
    cpe:2.3:a:mysql:mysql:5.0.33
  • MySQL5.0.41
    cpe:2.3:a:mysql:mysql:5.0.41
CVSS
Base: 2.1 (as of 13-03-2007 - 16:36)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
exploit-db via4
description MySQL 5.0.x Single Row SubSelect Remote Denial Of Service Vulnerability. CVE-2007-1420. Dos exploit for linux platform
id EDB-ID:29724
last seen 2016-02-03
modified 2007-03-09
published 2007-03-09
reporter S.Streichsbier
source https://www.exploit-db.com/download/29724/
title MySQL 5.0.x Single Row SubSelect Remote Denial of Service Vulnerability
nessus via4
  • NASL family Databases
    NASL id MYSQL_5_0_36.NASL
    description The version of MySQL installed on the remote host is earlier than 5.0.36 and thus reportedly allows a local user to cause a denial of service.
    last seen 2019-02-21
    modified 2018-07-16
    plugin id 17803
    published 2012-01-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17803
    title MySQL < 5.0.36 Denial of Service
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-440-1.NASL
    description Stefan Streichbier and B. Mueller of SEC Consult discovered that MySQL subselect queries using 'ORDER BY' could be made to crash the MySQL server. An attacker with access to a MySQL instance could cause an intermitant denial of service. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 28037
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28037
    title Ubuntu 6.06 LTS / 6.10 : mysql-dfsg-5.0 vulnerability (USN-440-1)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200705-11.NASL
    description The remote host is affected by the vulnerability described in GLSA-200705-11 (MySQL: Two Denial of Service vulnerabilities) mu-b discovered a NULL pointer dereference in item_cmpfunc.cc when processing certain types of SQL requests. Sec Consult also discovered another NULL pointer dereference when sorting certain types of queries on the database metadata. Impact : In both cases, a remote attacker could send a specially crafted SQL request to the server, possibly resulting in a server crash. Note that the attacker needs the ability to execute SELECT queries. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-11-19
    plugin id 25188
    published 2007-05-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25188
    title GLSA-200705-11 : MySQL: Two Denial of Service vulnerabilities
  • NASL family Databases
    NASL id MYSQL_SINGLE_ROW_SUBSELECT_DOS.NASL
    description According to its banner, the version of MySQL on the remote host is older than 5.0.37. Such versions are vulnerable to a remote denial of service when processing certain single row subselect queries. A malicious user can crash the service via a specially crafted SQL query.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 24905
    published 2007-03-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24905
    title MySQL Single Row Subselect Remote DoS
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20080521_MYSQL_ON_SL5_X.NASL
    description MySQL did not require privileges such as 'SELECT' for the source table in a 'CREATE TABLE LIKE' statement. An authenticated user could obtain sensitive information, such as the table structure. (CVE-2007-3781) A flaw was discovered in MySQL that allowed an authenticated user to gain update privileges for a table in another database, via a view that refers to the external table. (CVE-2007-3782) MySQL did not require the 'DROP' privilege for 'RENAME TABLE' statements. An authenticated user could use this flaw to rename arbitrary tables. (CVE-2007-2691) A flaw was discovered in the mysql_change_db function when returning from SQL SECURITY INVOKER stored routines. An authenticated user could use this flaw to gain database privileges. (CVE-2007-2692) MySQL allowed an authenticated user to bypass logging mechanisms via SQL queries that contain the NULL character, which were not properly handled by the mysql_real_query function. (CVE-2006-0903) MySQL allowed an authenticated user to access a table through a previously created MERGE table, even after the user's privileges were revoked from the original table, which might violate intended security policy. This is addressed by allowing the MERGE storage engine to be disabled, which can be done by running mysqld with the '--skip-merge' option. (CVE-2006-4031) MySQL evaluated arguments in the wrong security context, which allowed an authenticated user to gain privileges through a routine that had been made available using 'GRANT EXECUTE'. (CVE-2006-4227) Multiple flaws in MySQL allowed an authenticated user to cause the MySQL daemon to crash via crafted SQL queries. This only caused a temporary denial of service, as the MySQL daemon is automatically restarted after the crash. (CVE-2006-7232, CVE-2007-1420, CVE-2007-2583) As well, these updated packages fix the following bugs : - a separate counter was used for 'insert delayed' statements, which caused rows to be discarded. In these updated packages, 'insert delayed' statements no longer use a separate counter, which resolves this issue. - due to a bug in the Native POSIX Thread Library, in certain situations, 'flush tables' caused a deadlock on tables that had a read lock. The mysqld daemon had to be killed forcefully. Now, 'COND_refresh' has been replaced with 'COND_global_read_lock', which resolves this issue. - mysqld crashed if a query for an unsigned column type contained a negative value for a 'WHERE [column] NOT IN' subquery. - in master and slave server situations, specifying 'on duplicate key update' for 'insert' statements did not update slave servers. - in the mysql client, empty strings were displayed as 'NULL'. For example, running 'insert into [table-name] values (' ');' resulted in a 'NULL' entry being displayed when querying the table using 'select * from [table-name];'. - a bug in the optimizer code resulted in certain queries executing much slower than expected. - on 64-bit PowerPC architectures, MySQL did not calculate the thread stack size correctly, which could have caused MySQL to crash when overly-complex queries were used. Note: these updated packages upgrade MySQL to version 5.0.45. For a full list of bug fixes and enhancements, refer to the MySQL release notes: http://dev.mysql.com/doc/refman/5.0/en/releasenotes-cs-5-0.html
    last seen 2019-02-21
    modified 2019-01-07
    plugin id 60406
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60406
    title Scientific Linux Security Update : mysql on SL5.x i386/x86_64
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2007-139.NASL
    description MySQL 5.x before 5.0.36 allows local users to cause a denial of service (database crash) by performing information_schema table subselects and using ORDER BY to sort a single-row result, which prevents certain structure elements from being initialized and triggers a NULL dereference in the filesort function. This issue does not affect MySQL 5.0.37 in Mandriva Linux 2007.1. (CVE-2007-1420) The in_decimal::set function in item_cmpfunc.cc in MySQL before 5.0.40, and 5.1 before 5.1.18-beta, allows context-dependent attackers to cause a denial of service (crash) via a crafted IF clause that results in a divide-by-zero error and a NULL pointer dereference. (CVE-2007-2583) MySQL before 4.1.23, 5.0.x before 5.0.42, and 5.1.x before 5.1.18 does not require the DROP privilege for RENAME TABLE statements, which allows remote authenticated users to rename arbitrary tables. (CVE-2007-2691) Updated packages have been patched to prevent the above issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 25669
    published 2007-07-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25669
    title Mandrake Linux Security Advisory : MySQL (MDKSA-2007:139)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2008-0364.NASL
    description Updated mysql packages that fix various security issues and several bugs are now available for Red Hat Enterprise Linux 5. This update has been rated as having low security impact by the Red Hat Security Response Team. MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon (mysqld), and many different client programs and libraries. MySQL did not require privileges such as 'SELECT' for the source table in a 'CREATE TABLE LIKE' statement. An authenticated user could obtain sensitive information, such as the table structure. (CVE-2007-3781) A flaw was discovered in MySQL that allowed an authenticated user to gain update privileges for a table in another database, via a view that refers to the external table. (CVE-2007-3782) MySQL did not require the 'DROP' privilege for 'RENAME TABLE' statements. An authenticated user could use this flaw to rename arbitrary tables. (CVE-2007-2691) A flaw was discovered in the mysql_change_db function when returning from SQL SECURITY INVOKER stored routines. An authenticated user could use this flaw to gain database privileges. (CVE-2007-2692) MySQL allowed an authenticated user to bypass logging mechanisms via SQL queries that contain the NULL character, which were not properly handled by the mysql_real_query function. (CVE-2006-0903) MySQL allowed an authenticated user to access a table through a previously created MERGE table, even after the user's privileges were revoked from the original table, which might violate intended security policy. This is addressed by allowing the MERGE storage engine to be disabled, which can be done by running mysqld with the '--skip-merge' option. (CVE-2006-4031) MySQL evaluated arguments in the wrong security context, which allowed an authenticated user to gain privileges through a routine that had been made available using 'GRANT EXECUTE'. (CVE-2006-4227) Multiple flaws in MySQL allowed an authenticated user to cause the MySQL daemon to crash via crafted SQL queries. This only caused a temporary denial of service, as the MySQL daemon is automatically restarted after the crash. (CVE-2006-7232, CVE-2007-1420, CVE-2007-2583) As well, these updated packages fix the following bugs : * a separate counter was used for 'insert delayed' statements, which caused rows to be discarded. In these updated packages, 'insert delayed' statements no longer use a separate counter, which resolves this issue. * due to a bug in the Native POSIX Thread Library, in certain situations, 'flush tables' caused a deadlock on tables that had a read lock. The mysqld daemon had to be killed forcefully. Now, 'COND_refresh' has been replaced with 'COND_global_read_lock', which resolves this issue. * mysqld crashed if a query for an unsigned column type contained a negative value for a 'WHERE [column] NOT IN' subquery. * in master and slave server situations, specifying 'on duplicate key update' for 'insert' statements did not update slave servers. * in the mysql client, empty strings were displayed as 'NULL'. For example, running 'insert into [table-name] values (' ');' resulted in a 'NULL' entry being displayed when querying the table using 'select * from [table-name];'. * a bug in the optimizer code resulted in certain queries executing much slower than expected. * on 64-bit PowerPC architectures, MySQL did not calculate the thread stack size correctly, which could have caused MySQL to crash when overly-complex queries were used. Note: these updated packages upgrade MySQL to version 5.0.45. For a full list of bug fixes and enhancements, refer to the MySQL release notes: http://dev.mysql.com/doc/refman/5.0/en/releasenotes-cs-5-0.html All mysql users are advised to upgrade to these updated packages, which resolve these issues.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 32425
    published 2008-05-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=32425
    title RHEL 5 : mysql (RHSA-2008:0364)
oval via4
accepted 2013-04-29T04:20:02.738-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description MySQL 5.x before 5.0.36 allows local users to cause a denial of service (database crash) by performing information_schema table subselects and using ORDER BY to sort a single-row result, which prevents certain structure elements from being initialized and triggers a NULL dereference in the filesort function.
family unix
id oval:org.mitre.oval:def:9530
status accepted
submitted 2010-07-09T03:56:16-04:00
title MySQL 5.x before 5.0.36 allows local users to cause a denial of service (database crash) by performing information_schema table subselects and using ORDER BY to sort a single-row result, which prevents certain structure elements from being initialized and triggers a NULL dereference in the filesort function.
version 18
redhat via4
advisories
rhsa
id RHSA-2008:0364
rpms
  • mysql-0:5.0.45-7.el5
  • mysql-bench-0:5.0.45-7.el5
  • mysql-devel-0:5.0.45-7.el5
  • mysql-server-0:5.0.45-7.el5
  • mysql-test-0:5.0.45-7.el5
refmap via4
bid 22900
bugtraq 20070309 SEC Consult SA-20070309-0 :: MySQL 5 Single Row Subselect Denial of Service
confirm
gentoo GLSA-200705-11
mandriva MDKSA-2007:139
misc http://www.sec-consult.com/284.html
sectrack 1017746
secunia
  • 24483
  • 24609
  • 25196
  • 25389
  • 25946
  • 30351
sreason 2413
ubuntu USN-440-1
vupen ADV-2007-0908
statements via4
contributor Joshua Bressers
lastmodified 2008-07-25
organization Red Hat
statement This issue did not affect mysql packages as shipped in Red Hat Enterprise Linux 2.1, 3, and 4. Issue was addressed in mysql packages as shipped in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2008-0364.html
Last major update 01-09-2011 - 00:00
Published 12-03-2007 - 19:19
Last modified 16-10-2018 - 12:38
Back to Top