CVE-2008-4098

Name: CVE-2008-4098
Creator: NVD / NIST
Published: 2008-09-18T15:04:27.407+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 1.62%

Last modified Jun 16, 2026

CVE-2008-4098 is a vulnerability of currently unknown severity. MySQL before 5.0.67 allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are originally associated with pathnames without symlinks, and that can point to tables created at a future time at which a pathname is modified to contain a symlink to a subdirectory of the MySQL home data directory. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4097.. EPSS estimates a 1.62% chance of exploitation in the next 30 days.

Description

MySQL before 5.0.67 allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are originally associated with pathnames without symlinks, and that can point to tables created at a future time at which a pathname is modified to contain a symlink to a subdirectory of the MySQL home data directory. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4097.

Metrics

EPSS Probability

1.62%

73.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-59

Affected Software

Vendor	Product	Versions	Update
Canonical	Ubuntu Linux	6.06	—
Canonical	Ubuntu Linux	7.10	—
Canonical	Ubuntu Linux	8.04	—
Canonical	Ubuntu Linux	8.10	—
Canonical	Ubuntu Linux	9.04	—
Canonical	Ubuntu Linux	9.10	—
Debian	Debian Linux	5.0	—
Mysql	Mysql	5.0.0	—
Mysql	Mysql	5.0.1	—
Mysql	Mysql	5.0.2	—
Mysql	Mysql	5.0.3	—
Mysql	Mysql	5.0.4	—
Mysql	Mysql	5.0.5	—
Mysql	Mysql	5.0.10	—
Mysql	Mysql	5.0.15	—
Mysql	Mysql	5.0.16	—
Mysql	Mysql	5.0.17	—
Mysql	Mysql	5.0.20	—
Mysql	Mysql	5.0.24	—
Mysql	Mysql	5.0.30	—
Mysql	Mysql	5.0.36	—
Mysql	Mysql	5.0.44	—
Mysql	Mysql	5.0.54	—
Mysql	Mysql	5.0.56	—
Mysql	Mysql	5.0.60	—
Mysql	Mysql	5.0.66	—
Oracle	Mysql	5.0.23	—
Oracle	Mysql	5.0.25	—
Oracle	Mysql	5.0.26	—
Oracle	Mysql	5.0.28	—
Oracle	Mysql	5.0.30	Sp1
Oracle	Mysql	5.0.32	—
Oracle	Mysql	5.0.34	—
Oracle	Mysql	5.0.36	Sp1
Oracle	Mysql	5.0.38	—
Oracle	Mysql	5.0.40	—
Oracle	Mysql	5.0.41	—
Oracle	Mysql	5.0.42	—
Oracle	Mysql	5.0.44	Sp1
Oracle	Mysql	5.0.45	—
Oracle	Mysql	5.0.46	—
Oracle	Mysql	5.0.48	—
Oracle	Mysql	5.0.50	—
Oracle	Mysql	5.0.51	—
Oracle	Mysql	5.0.52	—
Oracle	Mysql	5.0.56	Sp1
Oracle	Mysql	5.0.58	—
Oracle	Mysql	5.0.60	Sp1
Oracle	Mysql	5.0.62	—
Oracle	Mysql	5.0.64	—

Showing 50 of 51 affected configurations. See NVD for the full list.

References

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480292#25Issue Tracking, Third Party Advisory
http://bugs.mysql.com/bug.php?id=32167Issue Tracking, Patch, Vendor Advisory
http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00001.htmlThird Party Advisory
http://secunia.com/advisories/32578Not Applicable
http://secunia.com/advisories/32759Not Applicable
http://secunia.com/advisories/32769Not Applicable
http://secunia.com/advisories/38517Not Applicable
http://ubuntu.com/usn/usn-897-1Third Party Advisory
http://www.debian.org/security/2008/dsa-1662Third Party Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2009:094Broken Link
http://www.openwall.com/lists/oss-security/2008/09/09/20Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2008/09/16/3Mailing List, Third Party Advisory
http://www.redhat.com/support/errata/RHSA-2009-1067.htmlThird Party Advisory
http://www.redhat.com/support/errata/RHSA-2010-0110.htmlThird Party Advisory
http://www.ubuntu.com/usn/USN-1397-1
http://www.ubuntu.com/usn/USN-671-1Third Party Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/45649
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10591
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480292#25Issue Tracking, Third Party Advisory
http://bugs.mysql.com/bug.php?id=32167Issue Tracking, Patch, Vendor Advisory
http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00001.htmlThird Party Advisory
http://secunia.com/advisories/32578Not Applicable
http://secunia.com/advisories/32759Not Applicable
http://secunia.com/advisories/32769Not Applicable
http://secunia.com/advisories/38517Not Applicable
http://ubuntu.com/usn/usn-897-1Third Party Advisory
http://www.debian.org/security/2008/dsa-1662Third Party Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2009:094Broken Link
http://www.openwall.com/lists/oss-security/2008/09/09/20Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2008/09/16/3Mailing List, Third Party Advisory
http://www.redhat.com/support/errata/RHSA-2009-1067.htmlThird Party Advisory
http://www.redhat.com/support/errata/RHSA-2010-0110.htmlThird Party Advisory
http://www.ubuntu.com/usn/USN-1397-1
http://www.ubuntu.com/usn/USN-671-1Third Party Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/45649
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10591

Timeline

Published: Sep 18, 2008
Last Modified: Jun 16, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2008-4098?

How severe is CVE-2008-4098?

Severity scoring for CVE-2008-4098 is pending analysis. The EPSS model estimates a 1.62% probability of exploitation in the next 30 days.

How do I fix CVE-2008-4098?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2008-4098?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST