ID CVE-2007-2583
Summary The in_decimal::set function in item_cmpfunc.cc in MySQL before 5.0.40, and 5.1 before 5.1.18-beta, allows context-dependent attackers to cause a denial of service (crash) via a crafted IF clause that results in a divide-by-zero error and a NULL pointer dereference.
References
Vulnerable Configurations
  • MySQL MySQL 5.0.0
    cpe:2.3:a:mysql:mysql:5.0.0
  • MySQL MySQL 5.0.0 alpha
    cpe:2.3:a:mysql:mysql:5.0.0:alpha
  • MySQL MySQL 5.0.0.0
    cpe:2.3:a:mysql:mysql:5.0.0.0
  • MySQL MySQL 5.0.1
    cpe:2.3:a:mysql:mysql:5.0.1
  • MySQL MySQL 5.0.1a
    cpe:2.3:a:mysql:mysql:5.0.1a
  • MySQL MySQL 5.0.2
    cpe:2.3:a:mysql:mysql:5.0.2
  • MySQL MySQL 5.0.3
    cpe:2.3:a:mysql:mysql:5.0.3
  • MySQL MySQL 5.0.3 Beta
    cpe:2.3:a:mysql:mysql:5.0.3:beta
  • MySQL MySQL 5.0.3a
    cpe:2.3:a:mysql:mysql:5.0.3a
  • MySQL MySQL 5.0.4
    cpe:2.3:a:mysql:mysql:5.0.4
  • MySQL MySQL 5.0.4a
    cpe:2.3:a:mysql:mysql:5.0.4a
  • MySQL MySQL 5.0.5
    cpe:2.3:a:mysql:mysql:5.0.5
  • cpe:2.3:a:mysql:mysql:5.0.5.0.21
    cpe:2.3:a:mysql:mysql:5.0.5.0.21
  • MySQL MySQL 5.0.6
    cpe:2.3:a:mysql:mysql:5.0.6
  • MySQL MySQL 5.0.7
    cpe:2.3:a:mysql:mysql:5.0.7
  • MySQL MySQL 5.0.8
    cpe:2.3:a:mysql:mysql:5.0.8
  • MySQL MySQL 5.0.9
    cpe:2.3:a:mysql:mysql:5.0.9
  • MySQL MySQL 5.0.10
    cpe:2.3:a:mysql:mysql:5.0.10
  • MySQL MySQL 5.0.10a
    cpe:2.3:a:mysql:mysql:5.0.10a
  • MySQL MySQL 5.0.11
    cpe:2.3:a:mysql:mysql:5.0.11
  • MySQL MySQL 5.0.12
    cpe:2.3:a:mysql:mysql:5.0.12
  • MySQL MySQL 5.0.13
    cpe:2.3:a:mysql:mysql:5.0.13
  • MySQL MySQL 5.0.14
    cpe:2.3:a:mysql:mysql:5.0.14
  • MySQL MySQL 5.0.15
    cpe:2.3:a:mysql:mysql:5.0.15
  • MySQL MySQL 5.0.15a
    cpe:2.3:a:mysql:mysql:5.0.15a
  • MySQL MySQL 5.0.16
    cpe:2.3:a:mysql:mysql:5.0.16
  • MySQL MySQL 5.0.16a
    cpe:2.3:a:mysql:mysql:5.0.16a
  • MySQL MySQL 5.0.17
    cpe:2.3:a:mysql:mysql:5.0.17
  • MySQL MySQL 5.0.17a
    cpe:2.3:a:mysql:mysql:5.0.17a
  • MySQL MySQL 5.0.18
    cpe:2.3:a:mysql:mysql:5.0.18
  • MySQL MySQL 5.0.19
    cpe:2.3:a:mysql:mysql:5.0.19
  • MySQL MySQL 5.0.20
    cpe:2.3:a:mysql:mysql:5.0.20
  • MySQL MySQL 5.0.20a
    cpe:2.3:a:mysql:mysql:5.0.20a
  • MySQL MySQL 5.0.21
    cpe:2.3:a:mysql:mysql:5.0.21
  • MySQL MySQL 5.0.22
    cpe:2.3:a:mysql:mysql:5.0.22
  • cpe:2.3:a:mysql:mysql:5.0.22.1.0.1
    cpe:2.3:a:mysql:mysql:5.0.22.1.0.1
  • MySQL MySQL 5.0.24
    cpe:2.3:a:mysql:mysql:5.0.24
  • MySQL MySQL 5.0.27
    cpe:2.3:a:mysql:mysql:5.0.27
  • MySQL MySQL 5.0.33
    cpe:2.3:a:mysql:mysql:5.0.33
  • MySQL MySQL 5.0.37
    cpe:2.3:a:mysql:mysql:5.0.37
  • MySQL 5.0.38
    cpe:2.3:a:mysql:mysql:5.0.38
  • MySQL 5.1
    cpe:2.3:a:mysql:mysql:5.1
  • MySQL 5.1.1
    cpe:2.3:a:mysql:mysql:5.1.1
  • MySQL 5.1.10
    cpe:2.3:a:mysql:mysql:5.1.10
  • MySQL 5.1.11
    cpe:2.3:a:mysql:mysql:5.1.11
  • MySQL 5.1.12
    cpe:2.3:a:mysql:mysql:5.1.12
  • MySQL 5.1.13
    cpe:2.3:a:mysql:mysql:5.1.13
  • MySQL 5.1.14
    cpe:2.3:a:mysql:mysql:5.1.14
  • MySQL 5.1.15
    cpe:2.3:a:mysql:mysql:5.1.15
  • MySQL 5.1.16
    cpe:2.3:a:mysql:mysql:5.1.16
  • MySQL 5.1.17
    cpe:2.3:a:mysql:mysql:5.1.17
CVSS
Base: 4.0 (as of 10-05-2007 - 14:36)
Impact:
Exploitability:
CWE CWE-189
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW SINGLE_INSTANCE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
exploit-db via4
description MySQL 5.0.x IF Query Handling Remote Denial Of Service Vulnerability. CVE-2007-2583. Dos exploit for linux platform
file exploits/linux/dos/30020.txt
id EDB-ID:30020
last seen 2016-02-03
modified 2013-12-04
platform linux
port
published 2013-12-04
reporter Neil Kettle
source https://www.exploit-db.com/download/30020/
title MySQL 5.0.x - IF Query Handling Remote Denial of Service Vulnerability
type dos
nessus via4
  • NASL family Databases
    NASL id MYSQL_SELECT_IF_DOS.NASL
    description The version of MySQL installed on the remote host reportedly is affected by a denial of service vulnerability that may be triggered with a specially crafted IF query. An attacker who can execute arbitrary SELECT statements may be able to leverage this issue to crash the affected service.
    last seen 2019-02-21
    modified 2018-07-16
    plugin id 25198
    published 2007-05-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25198
    title MySQL Crafted IF Clause Divide-by-zero NULL Dereference DoS
  • NASL family Databases
    NASL id MYSQL_5_0_40.NASL
    description The version of MySQL installed on the remote host is reportedly affected by several issues : - Evaluation of an 'IN()' predicate with a decimal-valued argument causes a service crash. - A remote, authenticated user can gain privileges.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 17832
    published 2012-01-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17832
    title MySQL 5.0 < 5.0.40 Multiple Vulnerabilities
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20080521_MYSQL_ON_SL5_X.NASL
    description MySQL did not require privileges such as 'SELECT' for the source table in a 'CREATE TABLE LIKE' statement. An authenticated user could obtain sensitive information, such as the table structure. (CVE-2007-3781) A flaw was discovered in MySQL that allowed an authenticated user to gain update privileges for a table in another database, via a view that refers to the external table. (CVE-2007-3782) MySQL did not require the 'DROP' privilege for 'RENAME TABLE' statements. An authenticated user could use this flaw to rename arbitrary tables. (CVE-2007-2691) A flaw was discovered in the mysql_change_db function when returning from SQL SECURITY INVOKER stored routines. An authenticated user could use this flaw to gain database privileges. (CVE-2007-2692) MySQL allowed an authenticated user to bypass logging mechanisms via SQL queries that contain the NULL character, which were not properly handled by the mysql_real_query function. (CVE-2006-0903) MySQL allowed an authenticated user to access a table through a previously created MERGE table, even after the user's privileges were revoked from the original table, which might violate intended security policy. This is addressed by allowing the MERGE storage engine to be disabled, which can be done by running mysqld with the '--skip-merge' option. (CVE-2006-4031) MySQL evaluated arguments in the wrong security context, which allowed an authenticated user to gain privileges through a routine that had been made available using 'GRANT EXECUTE'. (CVE-2006-4227) Multiple flaws in MySQL allowed an authenticated user to cause the MySQL daemon to crash via crafted SQL queries. This only caused a temporary denial of service, as the MySQL daemon is automatically restarted after the crash. (CVE-2006-7232, CVE-2007-1420, CVE-2007-2583) As well, these updated packages fix the following bugs : - a separate counter was used for 'insert delayed' statements, which caused rows to be discarded. In these updated packages, 'insert delayed' statements no longer use a separate counter, which resolves this issue. - due to a bug in the Native POSIX Thread Library, in certain situations, 'flush tables' caused a deadlock on tables that had a read lock. The mysqld daemon had to be killed forcefully. Now, 'COND_refresh' has been replaced with 'COND_global_read_lock', which resolves this issue. - mysqld crashed if a query for an unsigned column type contained a negative value for a 'WHERE [column] NOT IN' subquery. - in master and slave server situations, specifying 'on duplicate key update' for 'insert' statements did not update slave servers. - in the mysql client, empty strings were displayed as 'NULL'. For example, running 'insert into [table-name] values (' ');' resulted in a 'NULL' entry being displayed when querying the table using 'select * from [table-name];'. - a bug in the optimizer code resulted in certain queries executing much slower than expected. - on 64-bit PowerPC architectures, MySQL did not calculate the thread stack size correctly, which could have caused MySQL to crash when overly-complex queries were used. Note: these updated packages upgrade MySQL to version 5.0.45. For a full list of bug fixes and enhancements, refer to the MySQL release notes: http://dev.mysql.com/doc/refman/5.0/en/releasenotes-cs-5-0.html
    last seen 2019-02-21
    modified 2019-01-07
    plugin id 60406
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60406
    title Scientific Linux Security Update : mysql on SL5.x i386/x86_64
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2007-139.NASL
    description MySQL 5.x before 5.0.36 allows local users to cause a denial of service (database crash) by performing information_schema table subselects and using ORDER BY to sort a single-row result, which prevents certain structure elements from being initialized and triggers a NULL dereference in the filesort function. This issue does not affect MySQL 5.0.37 in Mandriva Linux 2007.1. (CVE-2007-1420) The in_decimal::set function in item_cmpfunc.cc in MySQL before 5.0.40, and 5.1 before 5.1.18-beta, allows context-dependent attackers to cause a denial of service (crash) via a crafted IF clause that results in a divide-by-zero error and a NULL pointer dereference. (CVE-2007-2583) MySQL before 4.1.23, 5.0.x before 5.0.42, and 5.1.x before 5.1.18 does not require the DROP privilege for RENAME TABLE statements, which allows remote authenticated users to rename arbitrary tables. (CVE-2007-2691) Updated packages have been patched to prevent the above issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 25669
    published 2007-07-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25669
    title Mandrake Linux Security Advisory : MySQL (MDKSA-2007:139)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-528-1.NASL
    description Neil Kettle discovered that MySQL could be made to dereference a NULL pointer and divide by zero. An authenticated user could exploit this with a crafted IF clause, leading to a denial of service. (CVE-2007-2583) Victoria Reznichenko discovered that MySQL did not always require the DROP privilege. An authenticated user could exploit this via RENAME TABLE statements to rename arbitrary tables, possibly gaining additional database access. (CVE-2007-2691) It was discovered that MySQL could be made to overflow a signed char during authentication. Remote attackers could use crafted authentication requests to cause a denial of service. (CVE-2007-3780) Phil Anderton discovered that MySQL did not properly verify access privileges when accessing external tables. As a result, authenticated users could exploit this to obtain UPDATE privileges to external tables. (CVE-2007-3782) In certain situations, when installing or upgrading mysql, there was no notification that the mysql root user password needed to be set. If the password was left unset, attackers would be able to obtain unrestricted access to mysql. This is now checked during mysql start-up. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 28133
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28133
    title Ubuntu 6.06 LTS / 6.10 / 7.04 : mysql-dfsg-5.0 vulnerabilities (USN-528-1)
  • NASL family Databases
    NASL id MYSQL_5_1_18.NASL
    description The version of MySQL installed on the remote host reportedly is affected by several issues : - Evaluation of an 'IN()' predicate with a decimal-valued argument causes a service crash. - A user can rename a table even though he does not have DROP privileges. - If a stored routine is declared as 'SQL SECURITY INVOKER', a user may be able to gain privileges by invoking that routine. - A user with only ALTER privileges on a partitioned table can discover information about the table that should require SELECT privileges.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 25242
    published 2007-05-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25242
    title MySQL 5.1 < 5.1.18 Multiple Vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE9_12044.NASL
    description This update fixes several security vulnerabilities (note: not all versions are affected by every bug) : - CVE-2007-2583 - CVE-2007-2691 - CVE-2007-2692 - CVE-2007-5925 - CVE-2007-5969 - CVE-2007-6303 - CVE-2007-6304
    last seen 2019-02-21
    modified 2016-12-21
    plugin id 41184
    published 2009-09-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41184
    title SuSE9 Security Update : MySQL (YOU Patch Number 12044)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2008-0364.NASL
    description Updated mysql packages that fix various security issues and several bugs are now available for Red Hat Enterprise Linux 5. This update has been rated as having low security impact by the Red Hat Security Response Team. MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon (mysqld), and many different client programs and libraries. MySQL did not require privileges such as 'SELECT' for the source table in a 'CREATE TABLE LIKE' statement. An authenticated user could obtain sensitive information, such as the table structure. (CVE-2007-3781) A flaw was discovered in MySQL that allowed an authenticated user to gain update privileges for a table in another database, via a view that refers to the external table. (CVE-2007-3782) MySQL did not require the 'DROP' privilege for 'RENAME TABLE' statements. An authenticated user could use this flaw to rename arbitrary tables. (CVE-2007-2691) A flaw was discovered in the mysql_change_db function when returning from SQL SECURITY INVOKER stored routines. An authenticated user could use this flaw to gain database privileges. (CVE-2007-2692) MySQL allowed an authenticated user to bypass logging mechanisms via SQL queries that contain the NULL character, which were not properly handled by the mysql_real_query function. (CVE-2006-0903) MySQL allowed an authenticated user to access a table through a previously created MERGE table, even after the user's privileges were revoked from the original table, which might violate intended security policy. This is addressed by allowing the MERGE storage engine to be disabled, which can be done by running mysqld with the '--skip-merge' option. (CVE-2006-4031) MySQL evaluated arguments in the wrong security context, which allowed an authenticated user to gain privileges through a routine that had been made available using 'GRANT EXECUTE'. (CVE-2006-4227) Multiple flaws in MySQL allowed an authenticated user to cause the MySQL daemon to crash via crafted SQL queries. This only caused a temporary denial of service, as the MySQL daemon is automatically restarted after the crash. (CVE-2006-7232, CVE-2007-1420, CVE-2007-2583) As well, these updated packages fix the following bugs : * a separate counter was used for 'insert delayed' statements, which caused rows to be discarded. In these updated packages, 'insert delayed' statements no longer use a separate counter, which resolves this issue. * due to a bug in the Native POSIX Thread Library, in certain situations, 'flush tables' caused a deadlock on tables that had a read lock. The mysqld daemon had to be killed forcefully. Now, 'COND_refresh' has been replaced with 'COND_global_read_lock', which resolves this issue. * mysqld crashed if a query for an unsigned column type contained a negative value for a 'WHERE [column] NOT IN' subquery. * in master and slave server situations, specifying 'on duplicate key update' for 'insert' statements did not update slave servers. * in the mysql client, empty strings were displayed as 'NULL'. For example, running 'insert into [table-name] values (' ');' resulted in a 'NULL' entry being displayed when querying the table using 'select * from [table-name];'. * a bug in the optimizer code resulted in certain queries executing much slower than expected. * on 64-bit PowerPC architectures, MySQL did not calculate the thread stack size correctly, which could have caused MySQL to crash when overly-complex queries were used. Note: these updated packages upgrade MySQL to version 5.0.45. For a full list of bug fixes and enhancements, refer to the MySQL release notes: http://dev.mysql.com/doc/refman/5.0/en/releasenotes-cs-5-0.html All mysql users are advised to upgrade to these updated packages, which resolve these issues.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 32425
    published 2008-05-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=32425
    title RHEL 5 : mysql (RHSA-2008:0364)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_LIBMYSQLCLIENT-DEVEL-4873.NASL
    description This update fixes several security vulnerabilities (note: not all versions are affected by every bug) : - CVE-2007-2583 - CVE-2007-2691 - CVE-2007-2692 - CVE-2007-5925 - CVE-2007-5969 - CVE-2007-6303 - CVE-2007-6304
    last seen 2019-02-21
    modified 2016-12-22
    plugin id 30180
    published 2008-02-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=30180
    title openSUSE 10 Security Update : libmysqlclient-devel (libmysqlclient-devel-4873)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1413.NASL
    description Several vulnerabilities have been found in the MySQL database packages with implications ranging from unauthorized database modifications to remotely triggered server crashes. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-2583 The in_decimal::set function in item_cmpfunc.cc in MySQL before 5.0.40 allows context-dependent attackers to cause a denial of service (crash) via a crafted IF clause that results in a divide-by-zero error and a NULL pointer dereference. (Affects source version 5.0.32.) - CVE-2007-2691 MySQL does not require the DROP privilege for RENAME TABLE statements, which allows remote authenticated users to rename arbitrary tables. (All supported versions affected.) - CVE-2007-2692 The mysql_change_db function does not restore THD::db_access privileges when returning from SQL SECURITY INVOKER stored routines, which allows remote authenticated users to gain privileges. (Affects source version 5.0.32.) - CVE-2007-3780 MySQL could be made to overflow a signed char during authentication. Remote attackers could use specially crafted authentication requests to cause a denial of service. (Upstream source versions 4.1.11a and 5.0.32 affected.) - CVE-2007-3782 Phil Anderton discovered that MySQL did not properly verify access privileges when accessing external tables. As a result, authenticated users could exploit this to obtain UPDATE privileges to external tables. (Affects source version 5.0.32.) - CVE-2007-5925 The convert_search_mode_to_innobase function in ha_innodb.cc in the InnoDB engine in MySQL 5.1.23-BK and earlier allows remote authenticated users to cause a denial of service (database crash) via a certain CONTAINS operation on an indexed column, which triggers an assertion error. (Affects source version 5.0.32.)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 28336
    published 2007-11-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28336
    title Debian DSA-1413-1 : mysql - multiple vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_MYSQL-4879.NASL
    description This update fixes several security vulnerabilities (note: not all versions are affected by every bug) : - CVE-2007-2583 - CVE-2007-2691 - CVE-2007-2692 - CVE-2007-5925 - CVE-2007-5969 - CVE-2007-6303 - CVE-2007-6304
    last seen 2019-02-21
    modified 2016-12-22
    plugin id 30182
    published 2008-02-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=30182
    title SuSE 10 Security Update : MySQL (ZYPP Patch Number 4879)
oval via4
accepted 2013-04-29T04:23:24.805-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description The in_decimal::set function in item_cmpfunc.cc in MySQL before 5.0.40, and 5.1 before 5.1.18-beta, allows context-dependent attackers to cause a denial of service (crash) via a crafted IF clause that results in a divide-by-zero error and a NULL pointer dereference.
family unix
id oval:org.mitre.oval:def:9930
status accepted
submitted 2010-07-09T03:56:16-04:00
title The in_decimal::set function in item_cmpfunc.cc in MySQL before 5.0.40, and 5.1 before 5.1.18-beta, allows context-dependent attackers to cause a denial of service (crash) via a crafted IF clause that results in a divide-by-zero error and a NULL pointer dereference.
version 18
packetstorm via4
data source https://packetstormsecurity.com/files/download/124295/mysql50x-dos.txt
id PACKETSTORM:124295
last seen 2016-12-05
published 2013-12-05
reporter Neil Kettle
source https://packetstormsecurity.com/files/124295/MySQL-5.0.x-Denial-Of-Service.html
title MySQL 5.0.x Denial Of Service
redhat via4
advisories
rhsa
id RHSA-2008:0364
rpms
  • mysql-0:5.0.45-7.el5
  • mysql-bench-0:5.0.45-7.el5
  • mysql-devel-0:5.0.45-7.el5
  • mysql-server-0:5.0.45-7.el5
  • mysql-test-0:5.0.45-7.el5
refmap via4
bid 23911
confirm
debian DSA-1413
exploit-db 30020
gentoo GLSA-200705-11
mandriva MDKSA-2007:139
misc http://packetstormsecurity.com/files/124295/MySQL-5.0.x-Denial-Of-Service.html
osvdb 34734
secunia
  • 25188
  • 25196
  • 25255
  • 25389
  • 25946
  • 27155
  • 27823
  • 28838
  • 30351
suse SUSE-SR:2008:003
trustix 2007-0017
ubuntu USN-528-1
vupen ADV-2007-1731
xf mysql-if-dos(34232)
statements via4
contributor Joshua Bressers
lastmodified 2008-07-25
organization Red Hat
statement This issue did not affect mysql packages as shipped in Red Hat Enterprise Linux 2.1, 3, and 4. Issue was addressed in mysql packages as shipped in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2008-0364.html
Last major update 20-02-2014 - 22:45
Published 09-05-2007 - 20:19
Last modified 03-10-2018 - 17:47
Back to Top