CVE-2010-2008

2010-07-1300:00:00

ubuntu.com

3.5 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:S/C:N/I:N/A:P

0.018 Low

EPSS

Percentile

88.2%

JSON

MySQL before 5.1.48 allows remote authenticated users with alter database
privileges to cause a denial of service (server crash and database loss)
via an ALTER DATABASE command with a #mysql50# string followed by a .
(dot), … (dot dot), …/ (dot dot slash) or similar sequence, and an
UPGRADE DATA DIRECTORY NAME command, which causes MySQL to move certain
directories to the server data directory.

Bugs

Notes

Author	Note
jdstrand	PoC in upstream report (remeber to add UPGRADE DATA DIRECTORY NAME)

OSVersionArchitecturePackageVersionFilename
ubuntu10.10noarchmysql-5.1< 5.1.48-1ubuntu1UNKNOWN
ubuntu9.10noarchmysql-dfsg-5.1< 5.1.37-1ubuntu5.5UNKNOWN
ubuntu10.04noarchmysql-dfsg-5.1< 5.1.41-3ubuntu12.7UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	10.10	noarch	mysql-5.1	< 5.1.48-1ubuntu1	UNKNOWN
ubuntu	9.10	noarch	mysql-dfsg-5.1	< 5.1.37-1ubuntu5.5	UNKNOWN
ubuntu	10.04	noarch	mysql-dfsg-5.1	< 5.1.41-3ubuntu12.7	UNKNOWN