Vulnerabilities > CVE-2007-6304 - Privilege Escalation And Denial Of Service vulnerability in MySQL Server

CVSS 5.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

PARTIAL

network

low complexity

mysql

oracle

nessus

NVD

Published: 2007-12-10

Updated: 2019-12-17

Summary

The federated engine in MySQL 5.0.x before 5.0.51a, 5.1.x before 5.1.23, and 6.0.x before 6.0.4, when performing a certain SHOW TABLE STATUS query, allows remote MySQL servers to cause a denial of service (federated handler crash and daemon crash) via a response that lacks the minimum required number of columns.

Vulnerable Configurations

Part	Description	Count
Application	Mysql Mysql Mysql 5.0.0 Mysql Mysql 5.0.1 Mysql Mysql 5.0.2 Mysql Mysql 5.0.3 Mysql Mysql 5.0.4 Mysql Mysql 5.0.5 Mysql Mysql 5.0.5.0.21 Mysql Mysql 5.0.10 Mysql Mysql 5.0.15 Mysql Mysql 5.0.16 Mysql Mysql 5.0.17 Mysql Mysql 5.0.20 Mysql Mysql 5.0.22.1.0.1 Mysql Mysql 5.0.24	14
Application	Oracle Oracle Mysql 5.0.0 Oracle Mysql 5.0.3 Oracle Mysql 5.0.6 Oracle Mysql 5.0.7 Oracle Mysql 5.0.8 Oracle Mysql 5.0.9 Oracle Mysql 5.0.11 Oracle Mysql 5.0.12 Oracle Mysql 5.0.13 Oracle Mysql 5.0.14 Oracle Mysql 5.0.18 Oracle Mysql 5.0.19 Oracle Mysql 5.0.21 Oracle Mysql 5.0.22 Oracle Mysql 5.0.27 Oracle Mysql 5.0.33 Oracle Mysql 5.0.37 Oracle Mysql 5.0.41 Oracle Mysql 5.1.1 Oracle Mysql 5.1.2 Oracle Mysql 5.1.10 Oracle Mysql 5.1.11 Oracle Mysql 5.1.12 Oracle Mysql 5.1.13 Oracle Mysql 5.1.14 Oracle Mysql 5.1.15 Oracle Mysql 5.1.16 Oracle Mysql 5.1.17 Oracle Mysql 6.0.0 Oracle Mysql 6.0.1 Oracle Mysql 6.0.2 Oracle Mysql 6.0.3	32

Nessus

NASL family	SuSE Local Security Checks
NASL id	SUSE_MYSQL-4879.NASL
description	This update fixes several security vulnerabilities (note: not all versions are affected by every bug) : - CVE-2007-2583 - CVE-2007-2691 - CVE-2007-2692 - CVE-2007-5925 - CVE-2007-5969 - CVE-2007-6303 - CVE-2007-6304
last seen	2020-06-01
modified	2020-06-02
plugin id	30182
published	2008-02-05
reporter	This script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/30182
title	SuSE 10 Security Update : MySQL (ZYPP Patch Number 4879)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The text description of this plugin is (C) Novell, Inc. # if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(30182); script_version ("1.18"); script_cvs_date("Date: 2019/10/25 13:36:32"); script_cve_id("CVE-2007-2583", "CVE-2007-2691", "CVE-2007-2692", "CVE-2007-5925", "CVE-2007-5969", "CVE-2007-6303", "CVE-2007-6304"); script_name(english:"SuSE 10 Security Update : MySQL (ZYPP Patch Number 4879)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 10 host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "This update fixes several security vulnerabilities (note: not all versions are affected by every bug) : - CVE-2007-2583 - CVE-2007-2691 - CVE-2007-2692 - CVE-2007-5925 - CVE-2007-5969 - CVE-2007-6303 - CVE-2007-6304" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2007-2583.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2007-2691.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2007-2692.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2007-5925.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2007-5969.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2007-6303.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2007-6304.html" ); script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 4879."); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:S/C:C/I:C/A:C"); script_cwe_id(20, 189, 264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2008/01/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/02/05"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled."); if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE."); if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages."); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) exit(1, "Failed to determine the architecture type."); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented."); flag = 0; if (rpm_check(release:"SLED10", sp:1, reference:"mysql-5.0.26-12.16")) flag++; if (rpm_check(release:"SLED10", sp:1, reference:"mysql-client-5.0.26-12.16")) flag++; if (rpm_check(release:"SLED10", sp:1, reference:"mysql-devel-5.0.26-12.16")) flag++; if (rpm_check(release:"SLED10", sp:1, reference:"mysql-shared-5.0.26-12.16")) flag++; if (rpm_check(release:"SLED10", sp:1, cpu:"x86_64", reference:"mysql-shared-32bit-5.0.26-12.16")) flag++; if (rpm_check(release:"SLES10", sp:1, reference:"mysql-5.0.26-12.16")) flag++; if (rpm_check(release:"SLES10", sp:1, reference:"mysql-Max-5.0.26-12.16")) flag++; if (rpm_check(release:"SLES10", sp:1, reference:"mysql-client-5.0.26-12.16")) flag++; if (rpm_check(release:"SLES10", sp:1, reference:"mysql-devel-5.0.26-12.16")) flag++; if (rpm_check(release:"SLES10", sp:1, reference:"mysql-shared-5.0.26-12.16")) flag++; if (rpm_check(release:"SLES10", sp:1, cpu:"x86_64", reference:"mysql-shared-32bit-5.0.26-12.16")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else exit(0, "The host is not affected.");

NASL family	Gentoo Local Security Checks
NASL id	GENTOO_GLSA-200804-04.NASL
description	The remote host is affected by the vulnerability described in GLSA-200804-04 (MySQL: Multiple vulnerabilities) Multiple vulnerabilities have been reported in MySQL: Mattias Jonsson reported that a
last seen	2020-06-01
modified	2020-06-02
plugin id	31835
published	2008-04-11
reporter	This script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/31835
title	GLSA-200804-04 : MySQL: Multiple vulnerabilities

NASL family	Mandriva Local Security Checks
NASL id	MANDRIVA_MDVSA-2008-028.NASL
description	The mysql_change_db() function in MySQL 5.0.x before 5.0.40 did not restore THD::db_access privileges when returning from SQL SECURITY INVOKER stored routines, which allowed remote authenticated users to gain privileges (CVE-2007-2692). The federated engine in MySQL 5.0.x, when performing a certain SHOW TABLE STATUS query, did not properly handle a response with a small number of columns, which could allow a remote MySQL server to cause a denial of service (federated handler crash and daemon crash) via a response that lacks the minimum required number of columns (CVE-2007-6304). The updated packages provide MySQL 5.0.45 for all Mandriva Linux platforms that shipped with MySQL 5.0.x which offers a number of feature enhancements and bug fixes. In addition, the updates for Corporate Server 4.0 include support for the Sphinx engine. Please note that due to the package name change (from
last seen	2020-06-01
modified	2020-06-02
plugin id	36399
published	2009-04-23
reporter	This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/36399
title	Mandriva Linux Security Advisory : mysql (MDVSA-2008:028)

NASL family	Databases
NASL id	MYSQL_6_0_4.NASL
description	The version of MySQL installed on the remote host is earlier than 5.0.51a / 5.1.23 / 6.0.4 and thus reportedly affected by the following two vulnerabilities : - An attacker may be able to cause the federated handler and daemon to crash when the federated engine issues a SHOW TABLE STATUS LIKE query by having a malicious server return a response with less than 14 columns. (MySQL bug #29801 / CVE-2007-6304) - It fails to update the DEFINER value of a view when that is altered, which could allow an authenticated user to gain additional access through the ALTER VIEW. (MySQL bug #29908 / CVE-2007-6303)
last seen	2020-06-01
modified	2020-06-02
plugin id	17813
published	2012-01-16
reporter	This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/17813
title	MySQL < 5.0.51a / 5.1.23 / 6.0.4 Multiple Vulnerabilities

NASL family	Mandriva Local Security Checks
NASL id	MANDRIVA_MDVSA-2008-017.NASL
description	MySQL 5.0.x did not update the DEFINER value of a view when the view is altered, which allows remote authenticated users to gain privileges via a sequence of statements including a CREATE SQL SECURITY DEFINER VIEW statement and an ALTER VIEW statement (CVE-2007-6303). The federated engine in MySQL 5.0.x, when performing a certain SHOW TABLE STATUS query, did not properly handle a response with a small number of columns, which could allow a remote MySQL server to cause a denial of service (federated handler crash and daemon crash) via a response that lacks the minimum required number of columns (CVE-2007-6304). The updated packages have been patched to correct these issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	36404
published	2009-04-23
reporter	This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/36404
title	Mandriva Linux Security Advisory : mysql (MDVSA-2008:017)

NASL family	SuSE Local Security Checks
NASL id	SUSE9_12044.NASL
description	This update fixes several security vulnerabilities (note: not all versions are affected by every bug) : - CVE-2007-2583 - CVE-2007-2691 - CVE-2007-2692 - CVE-2007-5925 - CVE-2007-5969 - CVE-2007-6303 - CVE-2007-6304
last seen	2020-06-01
modified	2020-06-02
plugin id	41184
published	2009-09-24
reporter	This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/41184
title	SuSE9 Security Update : MySQL (YOU Patch Number 12044)

NASL family	Databases
NASL id	MYSQL_ENTERPRISE_5_0_52.NASL
description	The version of MySQL Enterprise Server 5.0 installed on the remote host is earlier than 5.0.52. Such versions reportedly are affected by the following issues : - Using RENAME TABLE against a table with explicit DATA DIRECTORY and INDEX DIRECTORY options can be used to overwrite system table information. (Bug #32111). - ALTER VIEW retained the original DEFINER value, even when altered by another user, which could allow that user to gain the access rights of the view. (Bug #29908) - When using a FEDERATED table, the local server can be forced to crash if the remote server returns a result with fewer columns than expected. (Bug #29801)
last seen	2020-06-01
modified	2020-06-02
plugin id	29346
published	2007-12-13
reporter	This script is Copyright (C) 2007-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/29346
title	MySQL Enterprise Server 5.0 < 5.0.52 Multiple Vulnerabilities

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-559-1.NASL
description	Joe Gallo and Artem Russakovskii discovered that the InnoDB engine in MySQL did not properly perform input validation. An authenticated user could use a crafted CONTAINS statement to cause a denial of service. (CVE-2007-5925) It was discovered that under certain conditions MySQL could be made to overwrite system table information. An authenticated user could use a crafted RENAME statement to escalate privileges. (CVE-2007-5969) Philip Stoev discovered that the the federated engine of MySQL did not properly handle responses with a small number of columns. An authenticated user could use a crafted response to a SHOW TABLE STATUS query and cause a denial of service. (CVE-2007-6304) It was discovered that MySQL did not properly enforce access controls. An authenticated user could use a crafted CREATE TABLE LIKE statement to escalate privileges. (CVE-2007-3781). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	29793
published	2007-12-24
reporter	Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/29793
title	Ubuntu 6.06 LTS / 6.10 / 7.04 / 7.10 : mysql-dfsg-5.0 vulnerabilities (USN-559-1)

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-1451.NASL
description	Several local/remote vulnerabilities have been discovered in the MySQL database server. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-3781 It was discovered that the privilege validation for the source table of CREATE TABLE LIKE statements was insufficiently enforced, which might lead to information disclosure. This is only exploitable by authenticated users. - CVE-2007-5969 It was discovered that symbolic links were handled insecurely during the creation of tables with DATA DIRECTORY or INDEX DIRECTORY statements, which might lead to denial of service by overwriting data. This is only exploitable by authenticated users. - CVE-2007-6304 It was discovered that queries to data in a FEDERATED table can lead to a crash of the local database server, if the remote server returns information with less columns than expected, resulting in denial of service.
last seen	2020-06-01
modified	2020-06-02
plugin id	29860
published	2008-01-07
reporter	This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/29860
title	Debian DSA-1451-1 : mysql-dfsg-5.0 - several vulnerabilities

NASL family	Databases
NASL id	MYSQL_5_1_23.NASL
description	The version of MySQL Server installed on the remote host reportedly is affected by the following issues : - It is possible, by creating a partitioned table using the DATA DIRECTORY and INDEX DIRECTORY options, to gain privileges on other tables having the same name as the partitioned table. (Bug #32091) - Using RENAME TABLE against a table with explicit DATA DIRECTORY and INDEX DIRECTORY options can be used to overwrite system table information. (Bug #32111). - ALTER VIEW retains the original DEFINER value, even when altered by another user, which can allow that user to gain the access rights of the view. (Bug #29908) - When using a FEDERATED table, the local server can be forced to crash if the remote server returns a result with fewer columns than expected. (Bug #29801)
last seen	2020-06-01
modified	2020-06-02
plugin id	29345
published	2007-12-13
reporter	This script is Copyright (C) 2007-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/29345
title	MySQL Community Server < 5.1.23 / 6.0.4 Multiple Vulnerabilities

NASL family	SuSE Local Security Checks
NASL id	SUSE_LIBMYSQLCLIENT-DEVEL-4873.NASL
description	This update fixes several security vulnerabilities (note: not all versions are affected by every bug) : - CVE-2007-2583 - CVE-2007-2691 - CVE-2007-2692 - CVE-2007-5925 - CVE-2007-5969 - CVE-2007-6303 - CVE-2007-6304
last seen	2020-06-01
modified	2020-06-02
plugin id	30180
published	2008-02-05
reporter	This script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/30180
title	openSUSE 10 Security Update : libmysqlclient-devel (libmysqlclient-devel-4873)

Seebug

bulletinFamily	exploit
description	BUGTRAQ ID: 26832<br /> CVE(CAN) ID: CVE-2007-6303,CVE-2007-6304<br /> <br /> MySQL是一款使用非常广泛的开放源代码关系数据库系统，拥有各种平台的运行版本。<br /> <br /> 在视图已经更改时MySQL没有更新视图的DEFINER值，这允许已认证的远程攻击者通过一系列的CREATE SQL SECURITY DEFINER VIEW和ALTER VIEW语句获得权限提升。 <br /> <br /> MySQL的federated引擎在执行某些SHOW TABLE STATUS查询时没有正确地处理少量列数的响应，如果响应缺少必须的最少列数的话，就可能导致远程MySQL服务器崩溃。<br /> MySQL AB MySQL 6.0.x MySQL AB MySQL 5.1.x MySQL AB MySQL 5.0.x 临时解决方法： * 使用mysql_num_fields()判断查询是否返回了预期的列数。厂商补丁： MySQL AB -------- 目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： <a href=http://www.mysql.com/ target=_blank>http://www.mysql.com/</a>
id	SSV:2606
last seen	2017-11-19
modified	2007-12-14
published	2007-12-14
reporter	Root
title	MySQL Server权限提升及拒绝服务漏洞

Statements

contributor	Mark J Cox
lastmodified	2007-12-14
organization	Red Hat
statement	Not vulnerable. The MySQL versions as shipped in Red Hat Enterprise Linux 2.1, 3, and 4 do not support federated storage engine. The MySQL package as shipped in Red Hat Enterprise Linux 5, Red Hat Application Stack v1, and Red Hat Application Stack v2 are not compiled with support for federated storage engine.

Summary

Vulnerable Configurations

Nessus

Seebug

Statements

References