MySQL Security Invoker Privilege Escalation Vulnerability

Bugtraq ID:	24011
Class:	Access Validation Error
CVE:	CVE-2007-2692
Remote:	Yes
Local:	No
Published:	May 16 2007 12:00AM
Updated:	May 21 2008 09:04PM
Credit:	The vendor disclosed this issue.
Vulnerable:	Ubuntu Ubuntu Linux 7.04 sparc Ubuntu Ubuntu Linux 7.04 powerpc Ubuntu Ubuntu Linux 7.04 i386 Ubuntu Ubuntu Linux 7.04 amd64 Ubuntu Ubuntu Linux 6.10 sparc Ubuntu Ubuntu Linux 6.10 powerpc Ubuntu Ubuntu Linux 6.10 i386 Ubuntu Ubuntu Linux 6.10 amd64 Ubuntu Ubuntu Linux 6.06 LTS sparc Ubuntu Ubuntu Linux 6.06 LTS powerpc Ubuntu Ubuntu Linux 6.06 LTS i386 Ubuntu Ubuntu Linux 6.06 LTS amd64 SuSE SUSE Linux Enterprise Server 8 + Linux kernel 2.4.21 + Linux kernel 2.4.19 SuSE SUSE Linux Enterprise Server 10 SP1 SuSE SUSE Linux Enterprise SDK 10 SP1 SuSE Suse Linux Enterprise Desktop 10 SP1 SuSE Linux Enterprise Server 9 SuSE Linux Enterprise Server 10.SP1 SuSE Linux Desktop 1.0 SuSE Linux 10.1 x86-64 SuSE Linux 10.1 x86 SuSE Linux 10.1 ppc SuSE Linux 10.0 x86-64 SuSE Linux 10.0 x86 SuSE Linux 10.0 ppc S.u.S.E. UnitedLinux 1.0 S.u.S.E. SuSE Linux School Server for i386 S.u.S.E. SUSE LINUX Retail Solution 8.0 S.u.S.E. SuSE Linux Openexchange Server 4.0 S.u.S.E. openSUSE 10.3 S.u.S.E. openSUSE 10.2 S.u.S.E. Open-Enterprise-Server 0 S.u.S.E. Novell Linux POS 9 S.u.S.E. Novell Linux Desktop 9 rPath rPath Linux 1 Redhat Enterprise Linux Desktop Workstation 5 client Redhat Enterprise Linux Desktop 5 client Redhat Enterprise Linux 5 server MySQL AB MySQL 5.1.17 MySQL AB MySQL 5.1.16 MySQL AB MySQL 5.1.15 MySQL AB MySQL 5.1.14 MySQL AB MySQL 5.1.13 MySQL AB MySQL 5.1.12 MySQL AB MySQL 5.1.11 MySQL AB MySQL 5.1.10 MySQL AB MySQL 5.1.9 MySQL AB MySQL 5.1.6 MySQL AB MySQL 5.1.5 MySQL AB MySQL 5.0.39 MySQL AB MySQL 5.0.38 MySQL AB MySQL 5.0.37 MySQL AB MySQL 5.0.36 MySQL AB MySQL 5.0.33 MySQL AB MySQL 5.0.32 MySQL AB MySQL 5.0.27 MySQL AB MySQL 5.0.24 MySQL AB MySQL 5.0.22 -1-0.1 MySQL AB MySQL 5.0.22 MySQL AB MySQL 5.0.21 MySQL AB MySQL 5.0.20 MySQL AB MySQL 5.0.19 MySQL AB MySQL 5.0.18 MySQL AB MySQL 5.0.4 MySQL AB MySQL 5.0.3 MySQL AB MySQL 5.0.2 MySQL AB MySQL 5.0.1 MySQL AB MySQL 5.0 .0-alpha MySQL AB MySQL 5.0 .0-0 MySQL AB MySQL 5.0 Mandriva Linux Mandrake 2007.1 x86_64 Mandriva Linux Mandrake 2007.1 Mandriva Linux Mandrake 2007.0 x86_64 Mandriva Linux Mandrake 2007.0 MandrakeSoft Corporate Server 4.0 x86_64 MandrakeSoft Corporate Server 4.0 Debian Linux 4.0 sparc Debian Linux 4.0 s/390 Debian Linux 4.0 powerpc Debian Linux 4.0 mipsel Debian Linux 4.0 mips Debian Linux 4.0 m68k Debian Linux 4.0 ia-64 Debian Linux 4.0 ia-32 Debian Linux 4.0 hppa Debian Linux 4.0 arm Debian Linux 4.0 amd64 Debian Linux 4.0 alpha Debian Linux 4.0
Not Vulnerable:	MySQL AB MySQL 5.1.18 MySQL AB MySQL 5.0.40

MySQL Security Invoker Privilege Escalation Vulnerability

MySQL is prone to a privilege-escalation vulnerability because it fails to adequately restore access privileges during certain routines.

A remote authenticated attacker can exploit this issue to gain elevated privileges on an affected database.

These versions are vulnerable:

MySQL 5 prior to 5.0.40
MySQL 5.1 prior to 5.1.18

MySQL Security Invoker Privilege Escalation Vulnerability

Currently we are not aware of any exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

MySQL Security Invoker Privilege Escalation Vulnerability

Solution:
The vendor has released MySQL 5.1.18 to address this issue. Please see the references for more information.


MySQL AB MySQL 5.0

• MySQL AB mysql-5.0.41.tar.gz
  http://dev.mysql.com/get/Downloads/MySQL-5.0/mysql-5.0.41.tar.gz/from/ pick

MySQL AB MySQL 5.0 .0-0

• MySQL AB mysql-5.0.41.tar.gz
  http://dev.mysql.com/get/Downloads/MySQL-5.0/mysql-5.0.41.tar.gz/from/ pick

MySQL AB MySQL 5.0.1

• MySQL AB mysql-5.0.41.tar.gz
  http://dev.mysql.com/get/Downloads/MySQL-5.0/mysql-5.0.41.tar.gz/from/ pick

MySQL AB MySQL 5.0.18

• MySQL AB mysql-5.0.41.tar.gz
  http://dev.mysql.com/get/Downloads/MySQL-5.0/mysql-5.0.41.tar.gz/from/ pick

MySQL AB MySQL 5.0.19

• MySQL AB mysql-5.0.41.tar.gz
  http://dev.mysql.com/get/Downloads/MySQL-5.0/mysql-5.0.41.tar.gz/from/ pick

MySQL AB MySQL 5.0.2

• MySQL AB mysql-5.0.41.tar.gz
  http://dev.mysql.com/get/Downloads/MySQL-5.0/mysql-5.0.41.tar.gz/from/ pick

MySQL AB MySQL 5.0.20

• MySQL AB mysql-5.0.41.tar.gz
  http://dev.mysql.com/get/Downloads/MySQL-5.0/mysql-5.0.41.tar.gz/from/ pick

MySQL AB MySQL 5.0.21

• MySQL AB mysql-5.0.41.tar.gz
  http://dev.mysql.com/get/Downloads/MySQL-5.0/mysql-5.0.41.tar.gz/from/ pick

MySQL AB MySQL 5.0.22 -1-0.1

• MySQL AB mysql-5.0.41.tar.gz
  http://dev.mysql.com/get/Downloads/MySQL-5.0/mysql-5.0.41.tar.gz/from/ pick

MySQL AB MySQL 5.0.22

• MySQL AB mysql-5.0.41.tar.gz
  http://dev.mysql.com/get/Downloads/MySQL-5.0/mysql-5.0.41.tar.gz/from/ pick

MySQL AB MySQL 5.0.24

• MySQL AB mysql-5.0.41.tar.gz
  http://dev.mysql.com/get/Downloads/MySQL-5.0/mysql-5.0.41.tar.gz/from/ pick

MySQL AB MySQL 5.0.27

• MySQL AB mysql-5.0.41.tar.gz
  http://dev.mysql.com/get/Downloads/MySQL-5.0/mysql-5.0.41.tar.gz/from/ pick

MySQL AB MySQL 5.0.3

• MySQL AB mysql-5.0.41.tar.gz
  http://dev.mysql.com/get/Downloads/MySQL-5.0/mysql-5.0.41.tar.gz/from/ pick

MySQL AB MySQL 5.0.33

• MySQL AB mysql-5.0.41.tar.gz
  http://dev.mysql.com/get/Downloads/MySQL-5.0/mysql-5.0.41.tar.gz/from/ pick

MySQL AB MySQL 5.0.36

• MySQL AB mysql-5.0.41.tar.gz
  http://dev.mysql.com/get/Downloads/MySQL-5.0/mysql-5.0.41.tar.gz/from/ pick

MySQL AB MySQL 5.0.37

• MySQL AB mysql-5.0.41.tar.gz
  http://dev.mysql.com/get/Downloads/MySQL-5.0/mysql-5.0.41.tar.gz/from/ pick

MySQL AB MySQL 5.0.39

• MySQL AB mysql-5.0.41.tar.gz
  http://dev.mysql.com/get/Downloads/MySQL-5.0/mysql-5.0.41.tar.gz/from/ pick

MySQL AB MySQL 5.0.4

• MySQL AB mysql-5.0.41.tar.gz
  http://dev.mysql.com/get/Downloads/MySQL-5.0/mysql-5.0.41.tar.gz/from/ pick

MySQL AB MySQL 5.1.10

• MySQL AB mysql-5.1.18-beta.tar.gz
  http://dev.mysql.com/get/Downloads/MySQL-5.1/mysql-5.1.18-beta.tar.gz/ from/pick

MySQL AB MySQL 5.1.11

• MySQL AB mysql-5.1.18-beta.tar.gz
  http://dev.mysql.com/get/Downloads/MySQL-5.1/mysql-5.1.18-beta.tar.gz/ from/pick

MySQL AB MySQL 5.1.12

• MySQL AB mysql-5.1.18-beta.tar.gz
  http://dev.mysql.com/get/Downloads/MySQL-5.1/mysql-5.1.18-beta.tar.gz/ from/pick

MySQL AB MySQL 5.1.13

• MySQL AB mysql-5.1.18-beta.tar.gz
  http://dev.mysql.com/get/Downloads/MySQL-5.1/mysql-5.1.18-beta.tar.gz/ from/pick

MySQL AB MySQL 5.1.14

• MySQL AB mysql-5.1.18-beta.tar.gz
  http://dev.mysql.com/get/Downloads/MySQL-5.1/mysql-5.1.18-beta.tar.gz/ from/pick

MySQL AB MySQL 5.1.15

• MySQL AB mysql-5.1.18-beta.tar.gz
  http://dev.mysql.com/get/Downloads/MySQL-5.1/mysql-5.1.18-beta.tar.gz/ from/pick

MySQL AB MySQL 5.1.16

• MySQL AB mysql-5.1.18-beta.tar.gz
  http://dev.mysql.com/get/Downloads/MySQL-5.1/mysql-5.1.18-beta.tar.gz/ from/pick

MySQL AB MySQL 5.1.17

• MySQL AB mysql-5.1.18-beta.tar.gz
  http://dev.mysql.com/get/Downloads/MySQL-5.1/mysql-5.1.18-beta.tar.gz/ from/pick

MySQL AB MySQL 5.1.5

• MySQL AB mysql-5.1.18-beta.tar.gz
  http://dev.mysql.com/get/Downloads/MySQL-5.1/mysql-5.1.18-beta.tar.gz/ from/pick

MySQL AB MySQL 5.1.6

• MySQL AB mysql-5.1.18-beta.tar.gz
  http://dev.mysql.com/get/Downloads/MySQL-5.1/mysql-5.1.18-beta.tar.gz/ from/pick

MySQL AB MySQL 5.1.9

• MySQL AB mysql-5.1.18-beta.tar.gz
  http://dev.mysql.com/get/Downloads/MySQL-5.1/mysql-5.1.18-beta.tar.gz/ from/pick

MySQL Security Invoker Privilege Escalation Vulnerability

References:

• MySQL Homepage (Oracle)
  
• C.1.2. Changes in release 5.1.18 (08 May 2007) (MySQL AB)
  
• RHSA-2008:0364-9 mysql security and bug fix update (Red Hat)