CVE-2013-2162 - OpenCVE

Race condition in the post-installation script (mysql-server-5.5.postinst) for MySQL Server 5.5 for Debian GNU/Linux and Ubuntu Linux creates a configuration file with world-readable permissions before restricting the permissions, which allows local users to read the file and obtain sensitive information such as credentials.

No CVSS v3.1

No CVSS v3.0

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:M/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Canonical	Ubuntu Linux

Configuration 1 [-]

OR	cpe:2.3:o:canonical:ubuntu_linux:10.04:-:lts:::::*
	cpe:2.3:o:canonical:ubuntu_linux:12.04:-:lts:::::*
	cpe:2.3:o:canonical:ubuntu_linux:12.10:::::::*
	cpe:2.3:o:canonical:ubuntu_linux:13.04:::::::*

References

Link	Resource
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=711600	Exploit
http://seclists.org/oss-sec/2013/q2/528
http://secunia.com/advisories/54300	Vendor Advisory
http://ubuntu.com/usn/usn-1909-1	Vendor Advisory
http://www.debian.org/security/2013/dsa-2818
http://www.securityfocus.com/bid/60424

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2013-08-19T00:00:00

Updated: 2014-01-08T19:57:00

Reserved: 2013-02-19T00:00:00

Link: CVE-2013-2162

JSON object: View

NVD Information

Status : Modified

Published: 2013-08-19T13:07:40.867

Modified: 2014-01-14T04:24:44.933

Link: CVE-2013-2162

JSON object: View

Redhat Information

No data.

CWE

CWE-362

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2013-06-08T00:00:00", "descriptions": [{"lang": "en", "value": "Race condition in the post-installation script (mysql-server-5.5.postinst) for MySQL Server 5.5 for Debian GNU/Linux and Ubuntu Linux creates a configuration file with world-readable permissions before restricting the permissions, which allows local users to read the file and obtain sensitive information such as credentials."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2014-01-08T19:57:00", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "54300", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/54300"}, {"name": "DSA-2818", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2013/dsa-2818"}, {"tags": ["x_refsource_MISC"], "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=711600"}, {"name": "[oss-security] 20130608 Re: CVE request: Debian's package \"mysql-server\" leaks credential information", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://seclists.org/oss-sec/2013/q2/528"}, {"name": "60424", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/60424"}, {"name": "USN-1909-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://ubuntu.com/usn/usn-1909-1"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2013-2162", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Race condition in the post-installation script (mysql-server-5.5.postinst) for MySQL Server 5.5 for Debian GNU/Linux and Ubuntu Linux creates a configuration file with world-readable permissions before restricting the permissions, which allows local users to read the file and obtain sensitive information such as credentials."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "54300", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/54300"}, {"name": "DSA-2818", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2013/dsa-2818"}, {"name": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=711600", "refsource": "MISC", "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=711600"}, {"name": "[oss-security] 20130608 Re: CVE request: Debian's package \"mysql-server\" leaks credential information", "refsource": "MLIST", "url": "http://seclists.org/oss-sec/2013/q2/528"}, {"name": "60424", "refsource": "BID", "url": "http://www.securityfocus.com/bid/60424"}, {"name": "USN-1909-1", "refsource": "UBUNTU", "url": "http://ubuntu.com/usn/usn-1909-1"}]}}}}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2013-2162", "datePublished": "2013-08-19T00:00:00", "dateReserved": "2013-02-19T00:00:00", "dateUpdated": "2014-01-08T19:57:00", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:10.04:-:lts:*:*:*:*:*", "matchCriteriaId": "7118F616-25CA-4E34-AA13-4D14BB62419F", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:-:lts:*:*:*:*:*", "matchCriteriaId": "F5D324C4-97C7-49D3-A809-9EAD4B690C69", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*", "matchCriteriaId": "E2076871-2E80-4605-A470-A41C1A8EC7EE", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:13.04:*:*:*:*:*:*:*", "matchCriteriaId": "EFAA48D9-BEB4-4E49-AD50-325C262D46D9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Race condition in the post-installation script (mysql-server-5.5.postinst) for MySQL Server 5.5 for Debian GNU/Linux and Ubuntu Linux creates a configuration file with world-readable permissions before restricting the permissions, which allows local users to read the file and obtain sensitive information such as credentials."}, {"lang": "es", "value": "Condici\u00f3n de carrera en el script de post-instalaci\u00f3n (mysql-server-5.5.postinst) para MySQL Server 5.5 para Debian GNU/Linux y Ubuntu Linux crea un archivo de configuraci\u00f3n con permisos de lecturas globales antes de restringir los mismos, lo que permite a usuarios locales leer el archivo y obtener informaci\u00f3n sensible como credenciales."}], "id": "CVE-2013-2162", "lastModified": "2014-01-14T04:24:44.933", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 1.9, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2013-08-19T13:07:40.867", "references": [{"source": "secalert@redhat.com", "tags": ["Exploit"], "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=711600"}, {"source": "secalert@redhat.com", "url": "http://seclists.org/oss-sec/2013/q2/528"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/54300"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://ubuntu.com/usn/usn-1909-1"}, {"source": "secalert@redhat.com", "url": "http://www.debian.org/security/2013/dsa-2818"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/60424"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "nvd@nist.gov", "type": "Primary"}]}