Medium severity4.9NVD Advisory· Published Aug 5, 2017· Updated May 13, 2026

CVE-2017-12419

Description

If, after successful installation of MantisBT through 2.5.2 on MySQL/MariaDB, the administrator does not remove the 'admin' directory (as recommended in the "Post-installation and upgrade tasks" section of the MantisBT Admin Guide), and the MySQL client has a local_infile setting enabled (in php.ini mysqli.allow_local_infile, or the MySQL client config file, depending on the PHP setup), an attacker may take advantage of MySQL's "connect file read" feature to remotely access files on the MantisBT server.

Affected products

Mantisbt/Mantisbt
cpe:2.3:a:mantisbt:mantisbt:2.5.2:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

openwall.com/lists/oss-security/2017/08/04/6nvdMailing ListThird Party Advisory
www.securityfocus.com/bid/100142nvdThird Party AdvisoryVDB Entry
mantisbt.org/bugs/view.phpnvdVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.319
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000