Vulnerabilities > Mariadb

DATE CVE VULNERABILITY TITLE RISK
2021-05-27 CVE-2020-15180 Static Code Injection vulnerability in multiple products
A flaw was found in the mysql-wsrep component of mariadb.
6.8
2021-04-22 CVE-2021-2154 Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML).
network
low complexity
oracle mariadb netapp fedoraproject
4.0
2021-03-19 CVE-2021-27928 OS Command Injection vulnerability in multiple products
A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL.
network
low complexity
mariadb percona galeracluster debian CWE-78
critical
9.0
2020-12-24 CVE-2020-28912 Unspecified vulnerability in Mariadb
With MariaDB running on Windows, when local clients connect to the server over named pipes, it's possible for an unprivileged user with an ability to run code on the server machine to intercept the named pipe connection and act as a man-in-the-middle, gaining access to all the data passed between the client and the server, and getting the ability to run SQL commands on behalf of the connected user.
local
mariadb
4.4
2020-05-20 CVE-2020-13249 libmariadb/mariadb_lib.c in MariaDB Connector/C before 3.1.8 does not properly validate the content of an OK packet received from a server.
network
mariadb opensuse
6.8
2020-02-04 CVE-2020-7221 Improper Privilege Management vulnerability in Mariadb
mysql_install_db in MariaDB 10.4.7 through 10.4.11 allows privilege escalation from the mysql user account to root because chown and chmod are performed unsafely, as demonstrated by a symlink attack on a chmod 04755 of auth_pam_tool_dir/auth_pam_tool.
local
low complexity
mariadb CWE-269
7.2
2018-06-04 CVE-2017-16046 Unspecified vulnerability in Mariadb 2.13.0
`mariadb` was a malicious module published with the intent to hijack environment variables.
network
low complexity
mariadb
5.0
2018-01-25 CVE-2017-15365 sql/event_data_objects.cc in MariaDB before 10.1.30 and 10.2.x before 10.2.10 and Percona XtraDB Cluster before 5.6.37-26.21-3 and 5.7.x before 5.7.19-29.22-3 allows remote authenticated users with SQL access to bypass intended access restrictions and replicate data definition language (DDL) statements to cluster nodes by leveraging incorrect ordering of DDL replication and ACL checking.
network
low complexity
fedoraproject mariadb percona
6.5
2017-10-27 CVE-2017-15945 Incorrect Permission Assignment for Critical Resource vulnerability in multiple products
The installation scripts in the Gentoo dev-db/mysql, dev-db/mariadb, dev-db/percona-server, dev-db/mysql-cluster, and dev-db/mariadb-galera packages before 2017-09-29 have chown calls for user-writable directory trees, which allows local users to gain privileges by leveraging access to the mysql account for creation of a link.
local
low complexity
mariadb mysql gentoo CWE-732
7.2
2017-08-05 CVE-2017-12419 Information Exposure vulnerability in Mantisbt 2.5.2
If, after successful installation of MantisBT through 2.5.2 on MySQL/MariaDB, the administrator does not remove the 'admin' directory (as recommended in the "Post-installation and upgrade tasks" section of the MantisBT Admin Guide), and the MySQL client has a local_infile setting enabled (in php.ini mysqli.allow_local_infile, or the MySQL client config file, depending on the PHP setup), an attacker may take advantage of MySQL's "connect file read" feature to remotely access files on the MantisBT server.
network
low complexity
mantisbt mariadb mysql CWE-200
4.0