Improper Input Validation

Affecting mariadb-10.1 package, versions <10.1.47-0+deb9u1

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

NVD Description

Note: Versions mentioned in the description apply to the upstream mariadb-10.1 package. See Remediation section below for Debian:9 relevant versions.

A flaw was found in the mysql-wsrep component of mariadb. Lack of input sanitization in wsrep_sst_method allows for command injection that can be exploited by a remote attacker to execute arbitrary commands on galera cluster nodes. This threatens the system's confidentiality, integrity, and availability. This flaw affects mariadb versions before 10.1.47, before 10.2.34, before 10.3.25, before 10.4.15 and before 10.5.6.

Remediation

Upgrade Debian:9 mariadb-10.1 to version 10.1.47-0+deb9u1 or higher.

References

CVSS Score

9.0
critical severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Changed
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE
CVE-2020-15180
CWE
CWE-20 CWE-96
Snyk ID
SNYK-DEBIAN9-MARIADB101-1017372
Disclosed
27 May, 2021
Published
14 Oct, 2020