Details
-
Bug
-
Status: Confirmed (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.6, 10.11, 11.4, 11.8, 12.1, 12.2
-
Ubuntu 20.04 LTS, MD EPYC 7742, 128 Cores, 2.25 GHz
-
Notable changes
Description
A security vulnerability exists where a user with only the GRANT OPTION privilege can improperly read all table names in the database "mysql". The issue does not occur in standard MySQL, where the expected access denial is correctly enforced.
How to reproduce:
-- Login as ROOT user
|
CREATE USER regular; |
GRANT GRANT OPTION ON *.* TO regular; |
|
|
-- Login as regular user
|
SHOW TABLES FROM mysql; |
/* Expected Behavior: ERROR 1044 (42000): Access denied for user 'regular'@'%' to database 'mysql'
|
Actual Behavior:
|
+---------------------------+
|
| Tables_in_mysql |
|
+---------------------------+
|
| column_stats |
|
| columns_priv |
|
...
|
| user |
|
+---------------------------+
|
*/
|
|
|
-- Note: running the same commands in MySQL will get correct behavior:
|
-- ERROR 1044 (42000): Access denied for user 'regular'@'%' to database 'mysql' |