Search for vulnerabilities
Vulnerability details: VCID-k18m-23m7-aaaa
Vulnerability ID VCID-k18m-23m7-aaaa
Aliases CVE-2016-6662
Summary Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5.7.15; MariaDB before 5.5.51, 10.0.x before 10.0.27, and 10.1.x before 10.1.17; and Percona Server before 5.5.51-38.1, 5.6.x before 5.6.32-78.0, and 5.7.x before 5.7.14-7 allow local users to create arbitrary configurations and bypass certain protection mechanisms by setting general_log_file to a my.cnf configuration. NOTE: this can be leveraged to execute arbitrary code with root privileges by setting malloc_lib. NOTE: the affected MySQL version information is from Oracle's October 2016 CPU. Oracle has not commented on third-party claims that the issue was silently patched in MySQL 5.5.52, 5.6.33, and 5.7.15.
Status Published
Exploitability 2.0
Weighted Severity 9.0
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (2)
CWE-264 Permissions, Privileges, and Access Controls
CWE-732 Incorrect Permission Assignment for Critical Resource
System Score Found at
generic_textual Medium http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html
generic_textual Medium http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6662.html
rhas Important https://access.redhat.com/errata/RHSA-2016:2058
rhas Important https://access.redhat.com/errata/RHSA-2016:2059
rhas Important https://access.redhat.com/errata/RHSA-2016:2060
rhas Important https://access.redhat.com/errata/RHSA-2016:2061
rhas Important https://access.redhat.com/errata/RHSA-2016:2062
rhas Important https://access.redhat.com/errata/RHSA-2016:2077
rhas Important https://access.redhat.com/errata/RHSA-2016:2130
rhas Important https://access.redhat.com/errata/RHSA-2016:2131
rhas Important https://access.redhat.com/errata/RHSA-2016:2595
rhas Important https://access.redhat.com/errata/RHSA-2016:2749
rhas Important https://access.redhat.com/errata/RHSA-2016:2927
rhas Important https://access.redhat.com/errata/RHSA-2016:2928
rhas Important https://access.redhat.com/errata/RHSA-2017:0184
cvssv3 9.8 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-6662.json
epss 0.00928 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.00928 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.00928 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.00928 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.00928 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.00928 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.00928 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.00928 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.00928 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.00928 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.00928 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.00928 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.02588 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.02588 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.02588 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.02588 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.88944 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.88944 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.89175 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.89175 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.89175 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.89577 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.89577 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.89577 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.89577 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.89577 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.89577 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.89577 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.89577 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.89577 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.89577 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.89577 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.89577 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.89577 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.89577 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.89577 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.89577 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.89577 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.89577 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.89577 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.89577 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.89577 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.89577 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.89577 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.89801 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.89801 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.89854 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.89854 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.89854 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.89854 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
epss 0.89854 https://api.first.org/data/v1/epss?cve=CVE-2016-6662
rhbs high https://bugzilla.redhat.com/show_bug.cgi?id=1375198
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6662
cvssv2 8.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
generic_textual Medium https://mariadb.com/kb/en/mariadb/mariadb-10027-release-notes/
cvssv2 10.0 https://nvd.nist.gov/vuln/detail/CVE-2016-6662
cvssv3 9.8 https://nvd.nist.gov/vuln/detail/CVE-2016-6662
cvssv3.1 5.6 https://security.gentoo.org/glsa/201701-01
generic_textual MODERATE https://security.gentoo.org/glsa/201701-01
generic_textual Medium https://ubuntu.com/security/notices/USN-3078-1
cvssv3.1 8.1 http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
generic_textual HIGH http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
Reference id Reference type URL
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6662.html
http://rhn.redhat.com/errata/RHSA-2016-2058.html
http://rhn.redhat.com/errata/RHSA-2016-2059.html
http://rhn.redhat.com/errata/RHSA-2016-2060.html
http://rhn.redhat.com/errata/RHSA-2016-2061.html
http://rhn.redhat.com/errata/RHSA-2016-2062.html
http://rhn.redhat.com/errata/RHSA-2016-2077.html
http://rhn.redhat.com/errata/RHSA-2016-2130.html
http://rhn.redhat.com/errata/RHSA-2016-2131.html
http://rhn.redhat.com/errata/RHSA-2016-2595.html
http://rhn.redhat.com/errata/RHSA-2016-2749.html
http://rhn.redhat.com/errata/RHSA-2016-2927.html
http://rhn.redhat.com/errata/RHSA-2016-2928.html
http://rhn.redhat.com/errata/RHSA-2017-0184.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-6662.json
https://api.first.org/data/v1/epss?cve=CVE-2016-6662
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6662
http://seclists.org/fulldisclosure/2016/Sep/23
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://jira.mariadb.org/browse/MDEV-10465
https://mariadb.com/kb/en/mariadb/mariadb-10027-release-notes/
https://mariadb.com/kb/en/mariadb/mariadb-10117-release-notes/
https://mariadb.com/kb/en/mariadb/mariadb-5551-release-notes/
https://security.gentoo.org/glsa/201701-01
https://ubuntu.com/security/notices/USN-3078-1
https://www.exploit-db.com/exploits/40360/
https://www.percona.com/blog/2016/09/12/percona-server-critical-update-cve-2016-6662/
http://www.debian.org/security/2016/dsa-3666
http://www.openwall.com/lists/oss-security/2016/09/12/3
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
http://www.securityfocus.com/bid/92912
http://www.securitytracker.com/id/1036769
1375198 https://bugzilla.redhat.com/show_bug.cgi?id=1375198
cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*
cpe:2.3:a:percona:percona_server:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:percona:percona_server:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openstack:5.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:openstack:5.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openstack:6.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:openstack:6.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openstack:7.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:openstack:7.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openstack:8:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:openstack:8:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openstack:9:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:openstack:9:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.3:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux_server_aus:7.3:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.3:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux_server_eus:7.3:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.3:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux_server_tus:7.3:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
CVE-2016-6662 Exploit http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html
CVE-2016-6662 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/linux/local/40360.py
CVE-2016-6662 https://nvd.nist.gov/vuln/detail/CVE-2016-6662
RHSA-2016:2058 https://access.redhat.com/errata/RHSA-2016:2058
RHSA-2016:2059 https://access.redhat.com/errata/RHSA-2016:2059
RHSA-2016:2060 https://access.redhat.com/errata/RHSA-2016:2060
RHSA-2016:2061 https://access.redhat.com/errata/RHSA-2016:2061
RHSA-2016:2062 https://access.redhat.com/errata/RHSA-2016:2062
RHSA-2016:2077 https://access.redhat.com/errata/RHSA-2016:2077
RHSA-2016:2130 https://access.redhat.com/errata/RHSA-2016:2130
RHSA-2016:2131 https://access.redhat.com/errata/RHSA-2016:2131
RHSA-2016:2595 https://access.redhat.com/errata/RHSA-2016:2595
RHSA-2016:2749 https://access.redhat.com/errata/RHSA-2016:2749
RHSA-2016:2927 https://access.redhat.com/errata/RHSA-2016:2927
RHSA-2016:2928 https://access.redhat.com/errata/RHSA-2016:2928
RHSA-2017:0184 https://access.redhat.com/errata/RHSA-2017:0184
USN-3078-1 https://usn.ubuntu.com/3078-1/
Data source Exploit-DB
Date added Sept. 12, 2016
Description MySQL / MariaDB / PerconaDB 5.5.51/5.6.32/5.7.14 - Code Execution / Privilege Escalation
Ransomware campaign use Unknown
Source publication date Sept. 12, 2016
Exploit type local
Platform linux
Source update date Nov. 17, 2016
Source URL http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-6662.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C Found at https://nvd.nist.gov/vuln/detail/CVE-2016-6662
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2016-6662
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L Found at https://security.gentoo.org/glsa/201701-01
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.83425
EPSS Score 0.00928
Published At Nov. 1, 2024, midnight
Date Actor Action Source VulnerableCode Version
There are no relevant records.