Vulnerability Details : CVE-2008-4098

MySQL before 5.0.67 allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are originally associated with pathnames without symlinks, and that can point to tables created at a future time at which a pathname is modified to contain a symlink to a subdirectory of the MySQL home data directory. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4097.

Published 2008-09-18 15:04:27

Updated 2019-12-17 20:26:08

Source Red Hat, Inc.

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2008-4098

Probability of exploitation activity in the next 30 days: 0.04%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 8 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2008-4098

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
4.6	MEDIUM	AV:N/AC:H/Au:S/C:P/I:P/A:P	3.9	6.4	[email protected]
Access Vector: Network Access Complexity: High Authentication: Single Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial

CWE ids for CVE-2008-4098

CWE-59 Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Assigned by: [email protected] (Primary)

Vendor statements for CVE-2008-4098

Red Hat 2010-02-17

This issue was addressed in Red Hat Enterprise Linux 4 via https://rhn.redhat.com/errata/RHSA-2010-0110.html and in Red Hat Application Stack v2 via https://rhn.redhat.com/errata/RHSA-2009-1067.html . In Red Hat Enterprise Linux 5, issue CVE-2008-2079 was fixed without introducing CVE-2008-4098 in https://rhn.redhat.com/errata/RHSA-2009-1289.html .

References for CVE-2008-4098

http://www.debian.org/security/2008/dsa-1662

Third Party Advisory
http://www.redhat.com/support/errata/RHSA-2010-0110.html

Third Party Advisory

CVEs referencing this url
http://www.ubuntu.com/usn/USN-671-1

Third Party Advisory

CVEs referencing this url
http://ubuntu.com/usn/usn-897-1

Third Party Advisory

CVEs referencing this url
https://exchange.xforce.ibmcloud.com/vulnerabilities/45649
http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00001.html

Third Party Advisory

CVEs referencing this url
http://www.redhat.com/support/errata/RHSA-2009-1067.html

Third Party Advisory

CVEs referencing this url
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10591
http://www.openwall.com/lists/oss-security/2008/09/16/3

Mailing List;Third Party Advisory

CVEs referencing this url
http://www.ubuntu.com/usn/USN-1397-1

CVEs referencing this url
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480292#25

Issue Tracking;Third Party Advisory

CVEs referencing this url
http://bugs.mysql.com/bug.php?id=32167

Patch;Issue Tracking;Vendor Advisory

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2008/09/09/20

Mailing List;Third Party Advisory

CVEs referencing this url
http://www.mandriva.com/security/advisories?name=MDVSA-2009:094

Broken Link

CVEs referencing this url

Products affected by CVE-2008-4098

Debian » Debian Linux » Version: 5.0
cpe:2.3:o:debian:debian_linux:5.0:*:*:*:*:*:*:*
Matching versions
Oracle » Mysql » Version: 5.0.41
cpe:2.3:a:oracle:mysql:5.0.41:*:*:*:*:*:*:*
Matching versions
Oracle » Mysql » Version: 5.0.32
cpe:2.3:a:oracle:mysql:5.0.32:*:*:*:*:*:*:*
Matching versions
Oracle » Mysql » Version: 5.0.34
cpe:2.3:a:oracle:mysql:5.0.34:*:*:*:*:*:*:*
Matching versions
Oracle » Mysql » Version: 5.0.51
cpe:2.3:a:oracle:mysql:5.0.51:*:*:*:*:*:*:*
Matching versions
Oracle » Mysql » Version: 5.0.52
cpe:2.3:a:oracle:mysql:5.0.52:*:*:*:*:*:*:*
Matching versions
Oracle » Mysql » Version: 5.0.25
cpe:2.3:a:oracle:mysql:5.0.25:*:*:*:*:*:*:*
Matching versions
Oracle » Mysql » Version: 5.0.26
cpe:2.3:a:oracle:mysql:5.0.26:*:*:*:*:*:*:*
Matching versions
Oracle » Mysql » Version: 5.0.42
cpe:2.3:a:oracle:mysql:5.0.42:*:*:*:*:*:*:*
Matching versions
Oracle » Mysql » Version: 5.0.44 Update SP1
cpe:2.3:a:oracle:mysql:5.0.44:sp1:*:*:*:*:*:*
Matching versions
Oracle » Mysql » Version: 5.0.45
cpe:2.3:a:oracle:mysql:5.0.45:*:*:*:*:*:*:*
Matching versions
Oracle » Mysql » Version: 5.0.58
cpe:2.3:a:oracle:mysql:5.0.58:*:*:*:*:*:*:*
Matching versions
Oracle » Mysql » Version: 5.0.60 Update SP1
cpe:2.3:a:oracle:mysql:5.0.60:sp1:*:*:*:*:*:*
Matching versions
Oracle » Mysql » Version: 5.0.62
cpe:2.3:a:oracle:mysql:5.0.62:*:*:*:*:*:*:*
Matching versions
Oracle » Mysql » Version: 5.0.23
cpe:2.3:a:oracle:mysql:5.0.23:*:*:*:*:*:*:*
Matching versions
Oracle » Mysql » Version: 5.0.40
cpe:2.3:a:oracle:mysql:5.0.40:*:*:*:*:*:*:*
Matching versions
Oracle » Mysql » Version: 5.0.48
cpe:2.3:a:oracle:mysql:5.0.48:*:*:*:*:*:*:*
Matching versions
Oracle » Mysql » Version: 5.0.50 Update SP1
cpe:2.3:a:oracle:mysql:5.0.50:sp1:*:*:*:*:*:*
Matching versions
Oracle » Mysql » Version: 5.0.28
cpe:2.3:a:oracle:mysql:5.0.28:*:*:*:*:*:*:*
Matching versions
Oracle » Mysql » Version: 5.0.30 Update SP1
cpe:2.3:a:oracle:mysql:5.0.30:sp1:*:*:*:*:*:*
Matching versions
Oracle » Mysql » Version: 5.0.36 Update SP1
cpe:2.3:a:oracle:mysql:5.0.36:sp1:*:*:*:*:*:*
Matching versions
Oracle » Mysql » Version: 5.0.38
cpe:2.3:a:oracle:mysql:5.0.38:*:*:*:*:*:*:*
Matching versions
Oracle » Mysql » Version: 5.0.46
cpe:2.3:a:oracle:mysql:5.0.46:*:*:*:*:*:*:*
Matching versions
Oracle » Mysql » Version: 5.0.50
cpe:2.3:a:oracle:mysql:5.0.50:*:*:*:*:*:*:*
Matching versions
Oracle » Mysql » Version: 5.0.56 Update SP1
cpe:2.3:a:oracle:mysql:5.0.56:sp1:*:*:*:*:*:*
Matching versions
Oracle » Mysql » Version: 5.0.64
cpe:2.3:a:oracle:mysql:5.0.64:*:*:*:*:*:*:*
Matching versions
Oracle » Mysql » Version: 5.0.66 Update SP1
cpe:2.3:a:oracle:mysql:5.0.66:sp1:*:*:*:*:*:*
Matching versions
Mysql » Mysql » Version: 5.0.1
cpe:2.3:a:mysql:mysql:5.0.1:*:*:*:*:*:*:*
Matching versions
Mysql » Mysql » Version: 5.0.2
cpe:2.3:a:mysql:mysql:5.0.2:*:*:*:*:*:*:*
Matching versions
Mysql » Mysql » Version: 5.0.3
cpe:2.3:a:mysql:mysql:5.0.3:*:*:*:*:*:*:*
Matching versions
Mysql » Mysql » Version: 5.0.4
cpe:2.3:a:mysql:mysql:5.0.4:*:*:*:*:*:*:*
Matching versions
Mysql » Mysql » Version: 5.0.15
cpe:2.3:a:mysql:mysql:5.0.15:*:*:*:*:*:*:*
Matching versions
Mysql » Mysql » Version: 5.0.5
cpe:2.3:a:mysql:mysql:5.0.5:*:*:*:*:*:*:*
Matching versions
Mysql » Mysql » Version: 5.0.16
cpe:2.3:a:mysql:mysql:5.0.16:*:*:*:*:*:*:*
Matching versions
Mysql » Mysql » Version: 5.0.17
cpe:2.3:a:mysql:mysql:5.0.17:*:*:*:*:*:*:*
Matching versions
Mysql » Mysql » Version: 5.0.10
cpe:2.3:a:mysql:mysql:5.0.10:*:*:*:*:*:*:*
Matching versions
Mysql » Mysql » Version: 5.0.20
cpe:2.3:a:mysql:mysql:5.0.20:*:*:*:*:*:*:*
Matching versions
Mysql » Mysql » Version: 5.0.0
cpe:2.3:a:mysql:mysql:5.0.0:*:*:*:*:*:*:*
Matching versions
Mysql » Mysql » Version: 5.0.24
cpe:2.3:a:mysql:mysql:5.0.24:*:*:*:*:*:*:*
Matching versions
Mysql » Mysql » Version: 5.0.30
cpe:2.3:a:mysql:mysql:5.0.30:*:*:*:*:*:*:*
Matching versions
Mysql » Mysql » Version: 5.0.36
cpe:2.3:a:mysql:mysql:5.0.36:*:*:*:*:*:*:*
Matching versions
Mysql » Mysql » Version: 5.0.44
cpe:2.3:a:mysql:mysql:5.0.44:*:*:*:*:*:*:*
Matching versions
Mysql » Mysql » Version: 5.0.60
cpe:2.3:a:mysql:mysql:5.0.60:*:*:*:*:*:*:*
Matching versions
Mysql » Mysql » Version: 5.0.54
cpe:2.3:a:mysql:mysql:5.0.54:*:*:*:*:*:*:*
Matching versions
Mysql » Mysql » Version: 5.0.56
cpe:2.3:a:mysql:mysql:5.0.56:*:*:*:*:*:*:*
Matching versions
Mysql » Mysql » Version: 5.0.66
cpe:2.3:a:mysql:mysql:5.0.66:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 6.06 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:6.06:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 7.10
cpe:2.3:o:canonical:ubuntu_linux:7.10:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 8.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 8.10
cpe:2.3:o:canonical:ubuntu_linux:8.10:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 9.04
cpe:2.3:o:canonical:ubuntu_linux:9.04:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 9.10
cpe:2.3:o:canonical:ubuntu_linux:9.10:*:*:*:*:*:*:*
Matching versions