CVE-2009-2446

Loading...

General

Score:8.5/10.0
Severity:High
Category:Input Validation Error
Exploit:Available

Impact Metrics

Confidentiality:Complete
Integrity:Complete
Availability:Complete

Exploitability Metrics

Access Vector:Network
Access Complexity:Medium
Authentication:Multiple

Relative vulnerabilities

CVE-2003-0063, CVE-2006-1329, CVE-2007-6600, CVE-2008-0564, CVE-2008-0888, CVE-2008-2079, CVE-2008-2712, CVE-2008-3963, CVE-2008-4098, CVE-2008-4101, CVE-2008-4456, CVE-2008-5302, CVE-2008-5303, CVE-2008-5515, CVE-2008-7247, CVE-2009-0033, CVE-2009-0037, CVE-2009-0316, CVE-2009-0580, CVE-2009-0688, CVE-2009-0689, CVE-2009-0781, CVE-2009-0783, CVE-2009-1904, CVE-2009-2042, CVE-2009-2417, CVE-2009-2422, CVE-2009-2632, CVE-2009-2687, CVE-2009-2693, CVE-2009-2801, CVE-2009-2901, CVE-2009-2902, CVE-2009-2906, CVE-2009-3009, CVE-2009-3094, CVE-2009-3095, CVE-2009-3229, CVE-2009-3230, CVE-2009-3231, CVE-2009-3557, CVE-2009-3558, CVE-2009-3559, CVE-2009-4017, CVE-2009-4019, CVE-2009-4030, CVE-2009-4142, CVE-2009-4143, CVE-2009-4214, CVE-2010-0041, CVE-2010-0042, CVE-2010-0043, CVE-2010-0055, CVE-2010-0056, CVE-2010-0057, CVE-2010-0058, CVE-2010-0059, CVE-2010-0060, CVE-2010-0062, CVE-2010-0063, CVE-2010-0064, CVE-2010-0065, CVE-2010-0393, CVE-2010-0497, CVE-2010-0498, CVE-2010-0500, CVE-2010-0501, CVE-2010-0502, CVE-2010-0503, CVE-2010-0504, CVE-2010-0505, CVE-2010-0506, CVE-2010-0507, CVE-2010-0508, CVE-2010-0509, CVE-2010-0510, CVE-2010-0511, CVE-2010-0512, CVE-2010-0513, CVE-2010-0514, CVE-2010-0515, CVE-2010-0516, CVE-2010-0517, CVE-2010-0518, CVE-2010-0519, CVE-2010-0520, CVE-2010-0521, CVE-2010-0522, CVE-2010-0523, CVE-2010-0524, CVE-2010-0525, CVE-2010-0526, CVE-2010-0533, CVE-2010-0534, CVE-2010-0535, CVE-2010-0537

Published on 13/07/09 - Updated on 17/12/19

Description

Multiple format string vulnerabilities in the dispatch_command function in libmysqld/sql_parse.cc in mysqld in MySQL 4.0.0 through 5.0.83 allow remote authenticated users to cause a denial of service (daemon crash) and possibly have unspecified other impact via format string specifiers in a database name in a (1) COM_CREATE_DB or (2) COM_DROP_DB request. NOTE: some of these details are obtained from third party information.

Category: Input Validation Error

CWE-134 (Format String Vulnerability)
The software uses externally-controlled format strings in printf-style functions, which can lead to buffer overflows or data representation problems.

Security Notices

US National Vulnerability DatabaseCVE-2009-2446
Agence Nationale de la Sécurité des Systèmes d'Information CERTA-2010-AVI-143
CentOS CESA-2009:1289, CESA-2010:0110
Oracle Linux ELSA-2010-0110
Redhat RHSA-2009:1289, RHSA-2009:1461, RHSA-2010:0110
Renater 2010/VULN102

Exploits

Exploit-DBEDB-33077
SecurityFocusBID-35609

Relative technologies

VendorProduct
mysqlmysql
oraclemysql

Share this vulnerability with:

Twitter Facebook LinkedIn Mail