[MDEV-36402] Acl_* status values reveal information to unprivileged users - Jira

Details

Type: Bug
Status: Open (View Workflow)
Priority: Minor
Resolution: Unresolved
Affects Version/s: 10.1(EOL), 10.5, 10.6, 10.11, 11.4, 11.8
Fix Version/s: 12.0
Component/s: Authentication and Privilege System
Labels:
None

Description

Acl_* status values introduced in 10.1 show information about the number of users, roles, grants, etc. across the database, and it is available to any user. Counters are not particularly dangerous as such, but unprivileged users probably shouldn't see them.

create user foo@localhost;

show status like 'acl%';

--connect (con1,localhost,foo,,)

show status like 'acl%';

--disconnect con1

--connection default

drop user foo@localhost;

main ab468e33aff110b44a31ce0350894906ff4bc757
connect con1,localhost,foo,,;
show status like 'acl%';
Variable_name Value
Acl_column_grants 0
Acl_database_grants 0
Acl_function_grants 0
Acl_procedure_grants 0
Acl_package_spec_grants 0
Acl_package_body_grants 0
Acl_proxy_users 4
Acl_role_grants 0
Acl_roles 0
Acl_table_grants 1
Acl_users 6
disconnect con1;

Attachments

Activity

Ascending order - Click to sort in descending order

Elena Stepanova created issue - 2025-03-26 17:00

Elena Stepanova made changes - 2025-03-26 17:01

Field	Original Value	New Value
Summary	Acl_* status values reveal a lot of information to unprivileged users	Acl_* status values reveal information to unprivileged users

People

Assignee:: Sergei Golubchik

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2025-03-26 17:00

Updated:: 2025-03-26 17:01

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server