← Zuruck zu CVEs
CVE-2017-12419
N/ABeschreibung
If, after successful installation of MantisBT through 2.5.2 on MySQL/MariaDB, the administrator does not remove the 'admin' directory (as recommended in the "Post-installation and upgrade tasks" section of the MantisBT Admin Guide), and the MySQL client has a local_infile setting enabled (in php.ini mysqli.allow_local_infile, or the MySQL client config file, depending on the PHP setup), an attacker may take advantage of MySQL's "connect file read" feature to remotely access files on the MantisBT server.
CVE Details
CVSS v3.1 BewertungN/A
Veroffentlicht8/5/2017
Zuletzt geandert4/20/2025
Quellenvd
Honeypot-Sichtungen0
Betroffene Produkte
mantisbt:mantisbtmariadb:mariadbmysql:mysql
Schwachen (CWE)
CWE-200
Referenzen
http://openwall.com/lists/oss-security/2017/08/04/6(cve@mitre.org)
http://www.securityfocus.com/bid/100142(cve@mitre.org)
https://mantisbt.org/bugs/view.php?id=23173(cve@mitre.org)
http://openwall.com/lists/oss-security/2017/08/04/6(af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/100142(af854a3a-2127-422b-91ae-364da2661108)
https://mantisbt.org/bugs/view.php?id=23173(af854a3a-2127-422b-91ae-364da2661108)
IOC Korrelationen
Keine Korrelationen erfasst
This product uses data from the NVD API but is not endorsed or certified by the NVD.