CVE-2013-2162 : Race condition in the post-installation script (mysql-server-5.5.postinst) for M

Race condition in the post-installation script (mysql-server-5.5.postinst) for MySQL Server 5.5 for Debian GNU/Linux and Ubuntu Linux creates a configuration file with world-readable permissions before restricting the permissions, which allows local users to read the file and obtain sensitive information such as credentials.

Published 2013-08-19 13:07:41

Updated 2025-04-11 00:51:22

Source Red Hat, Inc.

View at NVD, CVE.org

Products affected by CVE-2013-2162

Canonical » Ubuntu Linux » Version: 12.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:12.04:-:lts:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 13.04
cpe:2.3:o:canonical:ubuntu_linux:13.04:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 12.10
cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 10.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:10.04:-:lts:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2013-2162

EPSS FAQ

0.03%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 6 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2013-2162

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
1.9	LOW	AV:L/AC:M/Au:N/C:P/I:N/A:N	3.4	2.9	NIST
Access Vector: Local Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None

CWE ids for CVE-2013-2162

CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2013-2162

http://www.securityfocus.com/bid/60424

Debian mysql-server CVE-2013-2162 Insecure File Creation Vulnerability
http://secunia.com/advisories/54300

Sign in
Vendor Advisory

CVEs referencing this url
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=711600

#711600 - mysql-server: CVE-2013-2162: Insecure creation of the credential file debian.cnf - Debian Bug report logs
Exploit
http://www.debian.org/security/2013/dsa-2818

Debian -- Security Information -- DSA-2818-1 mysql-5.5

CVEs referencing this url
http://seclists.org/oss-sec/2013/q2/528

oss-sec: Re: CVE request: Debian's package "mysql-server" leaks credential information
http://ubuntu.com/usn/usn-1909-1

USN-1909-1: MySQL vulnerabilities | Ubuntu security notices
Vendor Advisory

Jump to

Vulnerability Details : CVE-2013-2162

Products affected by CVE-2013-2162

Exploit prediction scoring system (EPSS) score for CVE-2013-2162

CVSS scores for CVE-2013-2162

CWE ids for CVE-2013-2162

References for CVE-2013-2162