Vulnerability Description
MySQL before 4.1.23, 5.0.x before 5.0.42, and 5.1.x before 5.1.18 does not require the DROP privilege for RENAME TABLE statements, which allows remote authenticated users to rename arbitrary tables.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mysql | Mysql | <= 4.1.22 |
| Debian | Debian Linux | 3.1 |
| Canonical | Ubuntu Linux | 6.06 |
References
- http://bugs.mysql.com/bug.php?id=27515Vendor Advisory
- http://dev.mysql.com/doc/refman/5.1/en/news-5-1-18.htmlPatchVendor Advisory
- http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.htmlMailing ListThird Party Advisory
- http://lists.mysql.com/announce/470Vendor Advisory
- http://lists.opensuse.org/opensuse-security-announce/2008-02/msg00003.htmlThird Party Advisory
- http://osvdb.org/34766Broken Link
- http://secunia.com/advisories/25301Third Party Advisory
- http://secunia.com/advisories/25946Third Party Advisory
- http://secunia.com/advisories/26073Third Party Advisory
- http://secunia.com/advisories/26430Third Party Advisory
- http://secunia.com/advisories/27155Third Party Advisory
- http://secunia.com/advisories/27823Third Party Advisory
- http://secunia.com/advisories/28838Third Party Advisory
- http://secunia.com/advisories/30351Third Party Advisory
- http://secunia.com/advisories/31226Third Party Advisory
FAQ
What is CVE-2007-2691?
CVE-2007-2691 is a vulnerability with a CVSS score of 4.9 (MEDIUM). MySQL before 4.1.23, 5.0.x before 5.0.42, and 5.1.x before 5.1.18 does not require the DROP privilege for RENAME TABLE statements, which allows remote authenticated users to rename arbitrary tables.
How severe is CVE-2007-2691?
CVE-2007-2691 has been rated MEDIUM with a CVSS base score of 4.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2007-2691?
Check the references section above for vendor advisories and patch information. Affected products include: Mysql Mysql, Debian Debian Linux, Canonical Ubuntu Linux.