Vulnerabilities (CVE)

Filtered by vendor Oracle Subscribe
Filtered by product Mysql
Total 1297 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2008-4097 1 Oracle 1 Mysql 2025-04-09 4.6 MEDIUM N/A
MySQL 5.0.51a allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are associated with symlinks within pathnames for subdirectories of the MySQL home data directory, which are followed when tables are created in the future. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-2079.
CVE-2007-1420 2 Mysql, Oracle 2 Mysql, Mysql 2025-04-09 2.1 LOW N/A
MySQL 5.x before 5.0.36 allows local users to cause a denial of service (database crash) by performing information_schema table subselects and using ORDER BY to sort a single-row result, which prevents certain structure elements from being initialized and triggers a NULL dereference in the filesort function.
CVE-2008-0226 6 Apple, Canonical, Debian and 3 more 6 Mac Os X, Ubuntu Linux, Debian Linux and 3 more 2025-04-09 7.5 HIGH N/A
Multiple buffer overflows in yaSSL 1.7.5 and earlier, as used in MySQL and possibly other products, allow remote attackers to execute arbitrary code via (1) the ProcessOldClientHello function in handshake.cpp or (2) "input_buffer& operator>>" in yassl_imp.cpp.
CVE-2008-4456 2 Mysql, Oracle 2 Mysql, Mysql 2025-04-09 2.6 LOW N/A
Cross-site scripting (XSS) vulnerability in the command-line client in MySQL 5.0.26 through 5.0.45, and other versions including versions later than 5.0.45, when the --html option is enabled, allows attackers to inject arbitrary web script or HTML by placing it in a database cell, which might be accessed by this client when composing an HTML document. NOTE: as of 20081031, the issue has not been fixed in MySQL 5.0.67.
CVE-2008-2079 4 Canonical, Debian, Mysql and 1 more 4 Ubuntu Linux, Debian Linux, Mysql and 1 more 2025-04-09 4.6 MEDIUM N/A
MySQL 4.1.x before 4.1.24, 5.0.x before 5.0.60, 5.1.x before 5.1.24, and 6.0.x before 6.0.5 allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are within the MySQL home data directory, which can point to tables that are created in the future.
CVE-2007-2583 3 Canonical, Debian, Oracle 3 Ubuntu Linux, Debian Linux, Mysql 2025-04-09 4.0 MEDIUM N/A
The in_decimal::set function in item_cmpfunc.cc in MySQL before 5.0.40, and 5.1 before 5.1.18-beta, allows context-dependent attackers to cause a denial of service (crash) via a crafted IF clause that results in a divide-by-zero error and a NULL pointer dereference.
CVE-2009-4030 2 Mysql, Oracle 2 Mysql, Mysql 2025-04-09 4.4 MEDIUM N/A
MySQL 5.1.x before 5.1.41 allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are originally associated with pathnames without symlinks, and that can point to tables created at a future time at which a pathname is modified to contain a symlink to a subdirectory of the MySQL data home directory, related to incorrect calculation of the mysql_unpacked_real_data_home value. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4098 and CVE-2008-2079.
CVE-2008-3963 2 Mysql, Oracle 2 Mysql, Mysql 2025-04-09 4.0 MEDIUM N/A
MySQL 5.0 before 5.0.66, 5.1 before 5.1.26, and 6.0 before 6.0.6 does not properly handle a b'' (b single-quote single-quote) token, aka an empty bit-string literal, which allows remote attackers to cause a denial of service (daemon crash) by using this token in a SQL statement.
CVE-2000-0148 1 Oracle 1 Mysql 2025-04-03 7.5 HIGH N/A
MySQL 3.22 allows remote attackers to bypass password authentication and access a database via a short check string.
CVE-2003-1480 2 Mysql, Oracle 2 Mysql, Mysql 2025-04-03 4.3 MEDIUM N/A
MySQL 3.20 through 4.1.0 uses a weak algorithm for hashed passwords, which makes it easier for attackers to decrypt the password via brute force methods.
CVE-2006-4227 2 Mysql, Oracle 2 Mysql, Mysql 2025-04-03 6.5 MEDIUM N/A
MySQL before 5.0.25 and 5.1 before 5.1.12 evaluates arguments of suid routines in the security context of the routine's definer instead of the routine's caller, which allows remote authenticated users to gain privileges through a routine that has been made available using GRANT EXECUTE.
CVE-2001-1454 1 Oracle 1 Mysql 2025-04-03 7.5 HIGH N/A
Buffer overflow in MySQL before 3.23.33 allows remote attackers to execute arbitrary code via a long drop database request.
CVE-2002-1921 1 Oracle 1 Mysql 2025-04-03 7.5 HIGH N/A
The default configuration of MySQL 3.20.32 through 3.23.52, when running on Windows, does set the bind address to the loopback interface, which allows remote attackers to connect to the database.
CVE-2005-0710 2 Mysql, Oracle 2 Mysql, Mysql 2025-04-03 4.6 MEDIUM N/A
MySQL 4.0.23 and earlier, and 4.1.x up to 4.1.10, allows remote authenticated users with INSERT and DELETE privileges to bypass library path restrictions and execute arbitrary libraries by using INSERT INTO to modify the mysql.func table, which is processed by the udf_init function.
CVE-2006-3469 2 Mysql, Oracle 2 Mysql, Mysql 2025-04-03 4.0 MEDIUM N/A
Format string vulnerability in time.cc in MySQL Server 4.1 before 4.1.21 and 5.0 before 1 April 2006 allows remote authenticated users to cause a denial of service (crash) via a format string instead of a date as the first parameter to the date_format function, which is later used in a formatted print call to display the error message.
CVE-2001-1255 2 Mysql, Oracle 2 Winmysqladmin, Mysql 2025-04-03 4.6 MEDIUM N/A
WinMySQLadmin 1.1 stores the MySQL password in plain text in the my.ini file, which allows local users to obtain unathorized access the MySQL database.
CVE-2005-2573 2 Mysql, Oracle 2 Mysql, Mysql 2025-04-03 5.0 MEDIUM N/A
The mysql_create_function function in sql_udf.cc for MySQL 4.0 before 4.0.25, 4.1 before 4.1.13, and 5.0 before 5.0.7-beta, when running on Windows, uses an incomplete blacklist in a directory traversal check, which allows attackers to include arbitrary files via the backslash (\) character.
CVE-2002-1809 1 Oracle 1 Mysql 2025-04-03 7.5 HIGH N/A
The default configuration of the Windows binary release of MySQL 3.23.2 through 3.23.52 has a NULL root password, which could allow remote attackers to gain unauthorized root access to the MySQL database.
CVE-2005-0799 1 Oracle 1 Mysql 2025-04-03 5.0 MEDIUM N/A
MySQL 4.1.9, and possibly earlier versions, allows remote attackers with certain privileges to cause a denial of service (application crash) via a use command followed by an MS-DOS device name such as (1) LPT1 or (2) PRN.
CVE-2005-2558 2 Mysql, Oracle 2 Mysql, Mysql 2025-04-03 4.6 MEDIUM N/A
Stack-based buffer overflow in the init_syms function in MySQL 4.0 before 4.0.25, 4.1 before 4.1.13, and 5.0 before 5.0.7-beta allows remote authenticated users who can create user-defined functions to execute arbitrary code via a long function_name field.