Bug #115938 The schema authorized to ''@'%' can be accessed by all users
Submitted: 27 Aug 2024 9:19 Modified: 27 Aug 2024 13:23
Reporter: Xiaocong Ding (OCA) Email Updates:
Status: Not a Bug Impact on me:
None 
Category:MySQL Server: Security: Privileges Severity:S3 (Non-critical)
Version:8.0 OS:Any
Assigned to: CPU Architecture:Any
Tags: privileges

[27 Aug 2024 9:19] Xiaocong Ding 
Description:
The schema authorized to ''@'%' can be accessed by all other users.

How to repeat:
Execute following SQL:

1. create schema testdb;
 
2. create user ''@'%' identified with mysql_native_password by 'rds1234!';

3. grant all privileges on `testdb`.* to ''@'%';

4. create user 'test1'@'%' identified with mysql_native_password by 'rds1234!';

Use 'test1'@'%' login in, and execute "show schemas", then it will be found that the account 'test1'@'%' also has privileges on schema 'testdb', which is unexpected.
[27 Aug 2024 12:40] Xiaocong Ding 
Sorry, it's not a bug. The following document can be referred:

https://dev.mysql.com/doc/refman/8.4/en/proxy-users.html
[27 Aug 2024 13:23] MySQL Verification Team 
Closing it for now.