CVE-2007-6303

MySQL 5.0.x before 5.0.51a, 5.1.x before 5.1.23, and 6.0.x before 6.0.4 does not update the DEFINER value of a view when the view is altered, which allows remote authenticated users to gain privileges via a sequence of statements including a CREATE SQL SECURITY DEFINER VIEW statement and an ALTER VIEW statement.

🔗 References (50)

• cve@mitrehttp://bugs.mysql.com/bug.php?id=29908
• cve@mitrehttp://dev.mysql.com/doc/refman/5.0/en/releasenotes-es-5-0-52.html
• cve@mitrehttp://dev.mysql.com/doc/refman/5.1/en/news-5-1-23.html
• cve@mitrehttp://dev.mysql.com/doc/refman/6.0/en/news-6-0-4.html
• cve@mitrehttp://lists.mysql.com/announce/502
• cve@mitrehttp://lists.opensuse.org/opensuse-security-announce/2008-02/msg00003.html
• cve@mitrehttp://secunia.com/advisories/28025
• cve@mitrehttp://secunia.com/advisories/28063
• cve@mitrehttp://secunia.com/advisories/28739
• cve@mitrehttp://secunia.com/advisories/28838
• cve@mitrehttp://secunia.com/advisories/29443
• cve@mitrehttp://secunia.com/advisories/29706
• cve@mitrehttp://security.gentoo.org/glsa/glsa-200804-04.xml
• cve@mitrehttp://securitytracker.com/id?1019085
• cve@mitrehttp://wiki.rpath.com/wiki/Advisories:rPSA-2008-0040