A Database User Privilege Elevation was found in MySQL. An attacker with 'FILE' privilege could use this flaw elevate its permissions to that of the MySQL admin user. Reference: http://seclists.org/fulldisclosure/2012/Dec/6 This issue was assigned CVE-2012-5613.
Some other references: http://www.openwall.com/lists/oss-security/2012/12/02/3 http://www.openwall.com/lists/oss-security/2012/12/02/4 -- The issue is disputed: * CVE-2012-5613: ** DISPUTED ** MySQL 5.5.19 and possibly other versions, and MariaDB 5.5.28a and possibly other versions, when configured to assign the FILE privilege to users who should not have administrative privileges, allows remote authenticated users to gain privileges by leveraging the FILE privilege to create files as the MySQL administrator. NOTE: the vendor disputes this issue, stating that this is only a vulnerability when the administrator does not follow recommendations in the product's installation documentation. NOTE: it could be argued that this should not be included in CVE because it is a configuration issue. --
This is not a security issue. As per MySQL manual: * The `FILE' privilege can be abused to read into a database table any files that the MySQL server can read on the server host. This includes all world-readable files and files in the server's data directory. The table can then be accessed using *Note `SELECT': select. to transfer its contents to the client host. Red Hat recommends not to grant `FILE' privilege to nonadministrative/untrusted users. Any user that has this privilege can write a file anywhere in the file system with the privileges of the mysqld. daemon. Additionally, MySQL provides a --secure-file-priv option that allows to restrict all FILE operations to a specific directory. Closing this bug as a non-issue. References: http://dev.mysql.com/doc/refman/5.0/en/privileges-provided.html#priv_file http://dev.mysql.com/doc/refman/5.0/en/server-system-variables.html#sysvar_secure_file_priv http://www.openwall.com/lists/oss-security/2012/12/02/4
Statement: Red Hat Product Security determined that this flaw was not a security vulnerability. See the Bugzilla link for more details.