Enabling local data loading may allow attackers to read server files
Severity | Exploitability | Providers | Categories |
---|---|---|---|
HIGH | LOW | Google Cloud Provider | DATA |
Description
Enabling 'local_infile' in the MySQL server configuration allows the LOAD DATA statement to use local files.
Anyone able to perform SQL requests on the server could read the content of files on the server by providing the file name to the statement.
Impact
Potential data exposure | Visible in logs | User interaction required | Privileges required |
---|---|---|---|
True | False | False | False |
In case of an existing SQL injection vulnerability, the attacker would be able to read any file on the server.
Remediation guidelines
Disable the local_infile MySQL setting.