MariaDB MariaDB Open source RDBMS forked from MySQL

Do you want an email whenever new security vulnerabilities are reported in MariaDB?

By the Year

In 2022 there have been 0 vulnerabilities in MariaDB . Last year MariaDB had 3 security vulnerabilities published. Right now, MariaDB is on track to have less security vulnerabilities in 2022 than it did last year.

Year Vulnerabilities Average Score
2022 0 0.00
2021 3 7.03
2020 1 7.80
2019 0 0.00
2018 0 0.00

It may take a day or so for new MariaDB vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent MariaDB Security Vulnerabilities

A flaw was found in the mysql-wsrep component of mariadb

CVE-2020-15180 9 - Critical - May 27, 2021

A flaw was found in the mysql-wsrep component of mariadb. Lack of input sanitization in `wsrep_sst_method` allows for command injection that can be exploited by a remote attacker to execute arbitrary commands on galera cluster nodes. This threatens the system's confidentiality, integrity, and availability. This flaw affects mariadb versions before 10.1.47, before 10.2.34, before 10.3.25, before 10.4.15 and before 10.5.6.

Improper Input Validation

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML)

CVE-2021-2154 4.9 - Medium - April 22, 2021

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 5.7.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37

CVE-2021-27928 7.2 - High - March 19, 2021

A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An untrusted search path leads to eval injection, in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an Oracle product.

Shell injection

mysql_install_db in MariaDB 10.4.7 through 10.4.11

CVE-2020-7221 7.8 - High - February 04, 2020

mysql_install_db in MariaDB 10.4.7 through 10.4.11 allows privilege escalation from the mysql user account to root because chown and chmod are performed unsafely, as demonstrated by a symlink attack on a chmod 04755 of auth_pam_tool_dir/auth_pam_tool. NOTE: this does not affect the Oracle MySQL product, which implements mysql_install_db differently.

Improper Privilege Management

Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5.7.15; MariaDB before 5.5.51, 10.0.x before 10.0.27, and 10.1.x before 10.1.17; and Percona Server before 5.5.51-38.1, 5.6.x before 5.6.32-78.0, and 5.7.x before 5.7.14-7

CVE-2016-6662 9.8 - Critical - September 20, 2016

Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5.7.15; MariaDB before 5.5.51, 10.0.x before 10.0.27, and 10.1.x before 10.1.17; and Percona Server before 5.5.51-38.1, 5.6.x before 5.6.32-78.0, and 5.7.x before 5.7.14-7 allow local users to create arbitrary configurations and bypass certain protection mechanisms by setting general_log_file to a my.cnf configuration. NOTE: this can be leveraged to execute arbitrary code with root privileges by setting malloc_lib. NOTE: the affected MySQL version information is from Oracle's October 2016 CPU. Oracle has not commented on third-party claims that the issue was silently patched in MySQL 5.5.52, 5.6.33, and 5.7.15.

Permissions, Privileges, and Access Controls

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Red Hat Enterprise Linux (RHEL) or by MariaDB? Click the Watch button to subscribe.

MariaDB
Vendor

MariaDB
Open source RDBMS forked from MySQL

subscribe