Version(s): prior to 4.1.12, 5.0.5 Description: A vulnerability was reported in MySQL. The database server may run with incorrect privileges. If the 'mysqld' process is started with the '--user=[non_existent_user]' command line configuration option, it will run with the privileges of the calling user instead of providing an error message. Lachlan Mulcahy reported this vulnerability. Impact: The software may run with the incorrect permissions. Solution: The vendor has issued a fixed version (4.1.12), available at: http://dev.mysql.com/downloads/ The pending version 5.0.5 will also include the fix.
This is a bug alright... but can't see how it can be exploited by an attacker without dumb-user being in the loop.
Pulling in mysql-bugs to advise.
4.1.12 is in the tree already and I agree with Koon in that it can't be exploited without PEBKAC.
It's an already fixed bug, not a vulnerability. Reopen if you disagree.
