Vulnerabilities > CVE-2007-6303 - Privilege Escalation And Denial Of Service vulnerability in MySQL Server

CVSS 3.5 - LOW

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

SINGLE

Confidentiality impact

NONE

Integrity impact

PARTIAL

Availability impact

NONE

network

mysql

oracle

nessus

NVD

Published: 2007-12-10

Updated: 2019-12-17

Summary

MySQL 5.0.x before 5.0.51a, 5.1.x before 5.1.23, and 6.0.x before 6.0.4 does not update the DEFINER value of a view when the view is altered, which allows remote authenticated users to gain privileges via a sequence of statements including a CREATE SQL SECURITY DEFINER VIEW statement and an ALTER VIEW statement.

Vulnerable Configurations

Part	Description	Count
Application	Mysql Mysql Mysql 5.0.0 Mysql Mysql 5.0.1 Mysql Mysql 5.0.2 Mysql Mysql 5.0.3 Mysql Mysql 5.0.4 Mysql Mysql 5.0.5 Mysql Mysql 5.0.5.0.21 Mysql Mysql 5.0.10 Mysql Mysql 5.0.15 Mysql Mysql 5.0.16 Mysql Mysql 5.0.17 Mysql Mysql 5.0.20 Mysql Mysql 5.0.22.1.0.1 Mysql Mysql 5.0.24	14
Application	Oracle Oracle Mysql 5.0.41 Oracle Mysql 5.1.1 Oracle Mysql 5.1.2 Oracle Mysql 5.1.10 Oracle Mysql 5.1.11 Oracle Mysql 5.1.12 Oracle Mysql 5.1.13 Oracle Mysql 5.1.14 Oracle Mysql 5.1.15 Oracle Mysql 5.1.16 Oracle Mysql 5.1.17 Oracle Mysql 6.0.0 Oracle Mysql 6.0.1 Oracle Mysql 6.0.2 Oracle Mysql 6.0.3	15

Nessus

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-588-1.NASL
description	Masaaki Hirose discovered that MySQL could be made to dereference a NULL pointer. An authenticated user could cause a denial of service (application crash) via an EXPLAIN SELECT FROM on the INFORMATION_SCHEMA table. This issue only affects Ubuntu 6.06 and 6.10. (CVE-2006-7232) Alexander Nozdrin discovered that MySQL did not restore database access privileges when returning from SQL SECURITY INVOKER stored routines. An authenticated user could exploit this to gain privileges. This issue does not affect Ubuntu 7.10. (CVE-2007-2692) Martin Friebe discovered that MySQL did not properly update the DEFINER value of an altered view. An authenticated user could use CREATE SQL SECURITY DEFINER VIEW and ALTER VIEW statements to gain privileges. (CVE-2007-6303) Luigi Auriemma discovered that yaSSL as included in MySQL did not properly validate its input. A remote attacker could send crafted requests and cause a denial of service or possibly execute arbitrary code. This issue did not affect Ubuntu 6.06 in the default installation. (CVE-2008-0226, CVE-2008-0227). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	31638
published	2008-03-21
reporter	Ubuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/31638
title	Ubuntu 6.06 LTS / 6.10 / 7.04 / 7.10 : mysql-dfsg-5.0 vulnerabilities (USN-588-1)

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-588-2.NASL
description	USN-588-1 fixed vulnerabilities in MySQL. In fixing CVE-2007-2692 for Ubuntu 6.06, additional improvements were made to make privilege checks more restictive. As a result, an upstream bug was exposed which could cause operations on tables or views in a different database to fail. This update fixes the problem. We apologize for the inconvenience. Masaaki Hirose discovered that MySQL could be made to dereference a NULL pointer. An authenticated user could cause a denial of service (application crash) via an EXPLAIN SELECT FROM on the INFORMATION_SCHEMA table. This issue only affects Ubuntu 6.06 and 6.10. (CVE-2006-7232) Alexander Nozdrin discovered that MySQL did not restore database access privileges when returning from SQL SECURITY INVOKER stored routines. An authenticated user could exploit this to gain privileges. This issue does not affect Ubuntu 7.10. (CVE-2007-2692) Martin Friebe discovered that MySQL did not properly update the DEFINER value of an altered view. An authenticated user could use CREATE SQL SECURITY DEFINER VIEW and ALTER VIEW statements to gain privileges. (CVE-2007-6303) Luigi Auriemma discovered that yaSSL as included in MySQL did not properly validate its input. A remote attacker could send crafted requests and cause a denial of service or possibly execute arbitrary code. This issue did not affect Ubuntu 6.06 in the default installation. (CVE-2008-0226, CVE-2008-0227). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	31783
published	2008-04-04
reporter	Ubuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/31783
title	Ubuntu 6.06 LTS : mysql-dfsg-5.0 regression (USN-588-2)

NASL family	CentOS Local Security Checks
NASL id	CENTOS_RHSA-2007-1157.NASL
description	The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2007-1157.
last seen	2020-06-01
modified	2020-06-02
plugin id	29752
published	2007-12-24
reporter	This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/29752
title	CentOS 4 : mysql (CESA-2007:1222-001)

NASL family	SuSE Local Security Checks
NASL id	SUSE_MYSQL-4879.NASL
description	This update fixes several security vulnerabilities (note: not all versions are affected by every bug) : - CVE-2007-2583 - CVE-2007-2691 - CVE-2007-2692 - CVE-2007-5925 - CVE-2007-5969 - CVE-2007-6303 - CVE-2007-6304
last seen	2020-06-01
modified	2020-06-02
plugin id	30182
published	2008-02-05
reporter	This script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/30182
title	SuSE 10 Security Update : MySQL (ZYPP Patch Number 4879)

NASL family	Gentoo Local Security Checks
NASL id	GENTOO_GLSA-200804-04.NASL
description	The remote host is affected by the vulnerability described in GLSA-200804-04 (MySQL: Multiple vulnerabilities) Multiple vulnerabilities have been reported in MySQL: Mattias Jonsson reported that a
last seen	2020-06-01
modified	2020-06-02
plugin id	31835
published	2008-04-11
reporter	This script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/31835
title	GLSA-200804-04 : MySQL: Multiple vulnerabilities

NASL family	Mandriva Local Security Checks
NASL id	MANDRIVA_MDVSA-2008-028.NASL
description	The mysql_change_db() function in MySQL 5.0.x before 5.0.40 did not restore THD::db_access privileges when returning from SQL SECURITY INVOKER stored routines, which allowed remote authenticated users to gain privileges (CVE-2007-2692). The federated engine in MySQL 5.0.x, when performing a certain SHOW TABLE STATUS query, did not properly handle a response with a small number of columns, which could allow a remote MySQL server to cause a denial of service (federated handler crash and daemon crash) via a response that lacks the minimum required number of columns (CVE-2007-6304). The updated packages provide MySQL 5.0.45 for all Mandriva Linux platforms that shipped with MySQL 5.0.x which offers a number of feature enhancements and bug fixes. In addition, the updates for Corporate Server 4.0 include support for the Sphinx engine. Please note that due to the package name change (from
last seen	2020-06-01
modified	2020-06-02
plugin id	36399
published	2009-04-23
reporter	This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/36399
title	Mandriva Linux Security Advisory : mysql (MDVSA-2008:028)

NASL family	Databases
NASL id	MYSQL_6_0_4.NASL
description	The version of MySQL installed on the remote host is earlier than 5.0.51a / 5.1.23 / 6.0.4 and thus reportedly affected by the following two vulnerabilities : - An attacker may be able to cause the federated handler and daemon to crash when the federated engine issues a SHOW TABLE STATUS LIKE query by having a malicious server return a response with less than 14 columns. (MySQL bug #29801 / CVE-2007-6304) - It fails to update the DEFINER value of a view when that is altered, which could allow an authenticated user to gain additional access through the ALTER VIEW. (MySQL bug #29908 / CVE-2007-6303)
last seen	2020-06-01
modified	2020-06-02
plugin id	17813
published	2012-01-16
reporter	This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/17813
title	MySQL < 5.0.51a / 5.1.23 / 6.0.4 Multiple Vulnerabilities

NASL family	Mandriva Local Security Checks
NASL id	MANDRIVA_MDVSA-2008-017.NASL
description	MySQL 5.0.x did not update the DEFINER value of a view when the view is altered, which allows remote authenticated users to gain privileges via a sequence of statements including a CREATE SQL SECURITY DEFINER VIEW statement and an ALTER VIEW statement (CVE-2007-6303). The federated engine in MySQL 5.0.x, when performing a certain SHOW TABLE STATUS query, did not properly handle a response with a small number of columns, which could allow a remote MySQL server to cause a denial of service (federated handler crash and daemon crash) via a response that lacks the minimum required number of columns (CVE-2007-6304). The updated packages have been patched to correct these issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	36404
published	2009-04-23
reporter	This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/36404
title	Mandriva Linux Security Advisory : mysql (MDVSA-2008:017)

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2007-4465.NASL
description	- Thu Dec 13 2007 Tom Lane <tgl at redhat.com> 5.0.45-6 - Back-port upstream fixes for CVE-2007-5925, CVE-2007-5969, CVE-2007-6303. Related: #422211 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	29712
published	2007-12-17
reporter	This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/29712
title	Fedora 8 : mysql-5.0.45-6.fc8 (2007-4465)

NASL family	F5 Networks Local Security Checks
NASL id	F5_BIGIP_SOL8178.NASL
description	Information about these advisories is available at the following locations :
last seen	2020-06-01
modified	2020-06-02
plugin id	78218
published	2014-10-10
reporter	This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/78218
title	F5 Networks BIG-IP : MySQL vulnerabilities (SOL8178)

NASL family	SuSE Local Security Checks
NASL id	SUSE9_12044.NASL
description	This update fixes several security vulnerabilities (note: not all versions are affected by every bug) : - CVE-2007-2583 - CVE-2007-2691 - CVE-2007-2692 - CVE-2007-5925 - CVE-2007-5969 - CVE-2007-6303 - CVE-2007-6304
last seen	2020-06-01
modified	2020-06-02
plugin id	41184
published	2009-09-24
reporter	This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/41184
title	SuSE9 Security Update : MySQL (YOU Patch Number 12044)

NASL family	Databases
NASL id	MYSQL_ENTERPRISE_5_0_52.NASL
description	The version of MySQL Enterprise Server 5.0 installed on the remote host is earlier than 5.0.52. Such versions reportedly are affected by the following issues : - Using RENAME TABLE against a table with explicit DATA DIRECTORY and INDEX DIRECTORY options can be used to overwrite system table information. (Bug #32111). - ALTER VIEW retained the original DEFINER value, even when altered by another user, which could allow that user to gain the access rights of the view. (Bug #29908) - When using a FEDERATED table, the local server can be forced to crash if the remote server returns a result with fewer columns than expected. (Bug #29801)
last seen	2020-06-01
modified	2020-06-02
plugin id	29346
published	2007-12-13
reporter	This script is Copyright (C) 2007-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/29346
title	MySQL Enterprise Server 5.0 < 5.0.52 Multiple Vulnerabilities

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2007-4471.NASL
description	- Thu Dec 13 2007 Tom Lane <tgl at redhat.com> 5.0.45-6 - Back-port upstream fixes for CVE-2007-5925, CVE-2007-5969, CVE-2007-6303. Related: #422211 - Update License tag to match code. - Sun Jul 22 2007 Tom Lane <tgl at redhat.com> 5.0.45-1 - Update to MySQL 5.0.45 Resolves: #246535 - Move mysql_config
last seen	2020-06-01
modified	2020-06-02
plugin id	29714
published	2007-12-17
reporter	This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/29714
title	Fedora 7 : mysql-5.0.45-6.fc7 (2007-4471)

NASL family	Databases
NASL id	MYSQL_5_1_23.NASL
description	The version of MySQL Server installed on the remote host reportedly is affected by the following issues : - It is possible, by creating a partitioned table using the DATA DIRECTORY and INDEX DIRECTORY options, to gain privileges on other tables having the same name as the partitioned table. (Bug #32091) - Using RENAME TABLE against a table with explicit DATA DIRECTORY and INDEX DIRECTORY options can be used to overwrite system table information. (Bug #32111). - ALTER VIEW retains the original DEFINER value, even when altered by another user, which can allow that user to gain the access rights of the view. (Bug #29908) - When using a FEDERATED table, the local server can be forced to crash if the remote server returns a result with fewer columns than expected. (Bug #29801)
last seen	2020-06-01
modified	2020-06-02
plugin id	29345
published	2007-12-13
reporter	This script is Copyright (C) 2007-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/29345
title	MySQL Community Server < 5.1.23 / 6.0.4 Multiple Vulnerabilities

NASL family	SuSE Local Security Checks
NASL id	SUSE_LIBMYSQLCLIENT-DEVEL-4873.NASL
description	This update fixes several security vulnerabilities (note: not all versions are affected by every bug) : - CVE-2007-2583 - CVE-2007-2691 - CVE-2007-2692 - CVE-2007-5925 - CVE-2007-5969 - CVE-2007-6303 - CVE-2007-6304
last seen	2020-06-01
modified	2020-06-02
plugin id	30180
published	2008-02-05
reporter	This script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/30180
title	openSUSE 10 Security Update : libmysqlclient-devel (libmysqlclient-devel-4873)

Redhat

advisories

rhsa

id	RHSA-2007:1157

rpms

mysql-0:5.0.44-2.el4s1.1
mysql-0:5.0.44-3.el5s2
mysql-bench-0:5.0.44-2.el4s1.1
mysql-bench-0:5.0.44-3.el5s2
mysql-cluster-0:5.0.44-2.el4s1.1
mysql-cluster-0:5.0.44-3.el5s2
mysql-debuginfo-0:5.0.44-2.el4s1.1
mysql-debuginfo-0:5.0.44-3.el5s2
mysql-devel-0:5.0.44-2.el4s1.1
mysql-devel-0:5.0.44-3.el5s2
mysql-libs-0:5.0.44-2.el4s1.1
mysql-libs-0:5.0.44-3.el5s2
mysql-server-0:5.0.44-2.el4s1.1
mysql-server-0:5.0.44-3.el5s2
mysql-test-0:5.0.44-2.el4s1.1
mysql-test-0:5.0.44-3.el5s2

Seebug

bulletinFamily	exploit
description	BUGTRAQ ID: 26832<br /> CVE(CAN) ID: CVE-2007-6303,CVE-2007-6304<br /> <br /> MySQL是一款使用非常广泛的开放源代码关系数据库系统，拥有各种平台的运行版本。<br /> <br /> 在视图已经更改时MySQL没有更新视图的DEFINER值，这允许已认证的远程攻击者通过一系列的CREATE SQL SECURITY DEFINER VIEW和ALTER VIEW语句获得权限提升。 <br /> <br /> MySQL的federated引擎在执行某些SHOW TABLE STATUS查询时没有正确地处理少量列数的响应，如果响应缺少必须的最少列数的话，就可能导致远程MySQL服务器崩溃。<br /> MySQL AB MySQL 6.0.x MySQL AB MySQL 5.1.x MySQL AB MySQL 5.0.x 临时解决方法： * 使用mysql_num_fields()判断查询是否返回了预期的列数。厂商补丁： MySQL AB -------- 目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： <a href=http://www.mysql.com/ target=_blank>http://www.mysql.com/</a>
id	SSV:2606
last seen	2017-11-19
modified	2007-12-14
published	2007-12-14
reporter	Root
title	MySQL Server权限提升及拒绝服务漏洞

Statements

contributor	Mark J Cox
lastmodified	2008-01-09
organization	Red Hat
statement	This issue did not affect the mysql packages as shipped in Red Hat Enterprise Linux 2.1, 3, 4, or 5. This issue affected the mysql packages as shipped in Red Hat Application Stack v1 and v2 and was addressed by RHSA-2007:1157: http://rhn.redhat.com/errata/RHSA-2007-1157.html