{"id":"CVE-2017-12419","details":"If, after successful installation of MantisBT through 2.5.2 on MySQL/MariaDB, the administrator does not remove the 'admin' directory (as recommended in the \"Post-installation and upgrade tasks\" section of the MantisBT Admin Guide), and the MySQL client has a local_infile setting enabled (in php.ini mysqli.allow_local_infile, or the MySQL client config file, depending on the PHP setup), an attacker may take advantage of MySQL's \"connect file read\" feature to remotely access files on the MantisBT server.","modified":"2026-04-11T16:50:47.292798Z","published":"2017-08-05T15:29:00.177Z","references":[{"type":"ADVISORY","url":"http://openwall.com/lists/oss-security/2017/08/04/6"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/100142"},{"type":"ADVISORY","url":"https://mantisbt.org/bugs/view.php?id=23173"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mariadb-corporation/mariadb-connector-nodejs","events":[{"introduced":"0"},{"last_affected":"36373d52d5ec5673d8545f06a05556b23925f3fc"}],"database_specific":{"cpe":"cpe:2.3:a:mantisbt:mantisbt:2.5.2:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"last_affected":"2.5.2"}],"source":"CPE_FIELD"}}],"versions":["0.7.0","2.0.3","2.0.5","2.1.0","2.1.1","2.1.2","2.1.3","2.1.4","2.1.5","2.2.0","2.3.0","2.4.0","2.4.1","2.4.2","2.5.0","2.5.1","2.5.2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-12419.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"}]}