CVE-2017-15365 — Improper Access Control in Mariadb

CWE-284 — Improper Access Control8 documents6 sources

Severity

8.8HIGHNVD

EPSS

0.6%

top 31.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mariadb Percona Xtradb Cluster Fedoraproject Fedora

Timeline

PublishedJan 25

Latest updateMay 13

Description

sql/event_data_objects.cc in MariaDB before 10.1.30 and 10.2.x before 10.2.10 and Percona XtraDB Cluster before 5.6.37-26.21-3 and 5.7.x before 5.7.19-29.22-3 allows remote authenticated users with SQL access to bypass intended access restrictions and replicate data definition language (DDL) statements to cluster nodes by leveraging incorrect ordering of DDL replication and ACL checking.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶NVDpercona/xtradb_cluster5.7.0 — 5.7.19-29.22-3+1

▶NVDmariadb/mariadb10.2.0 — 10.2.10+1

▶Alpinemariadb/mariadb< 10.1.32-r0+3

Also affects: Fedora 26

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-5qvf-c9w3-cfj9: sql/event_data_objects↗2022-05-13

▶

OSV

CVE-2017-15365: sql/event_data_objects↗2018-01-25

▶

CVEList

CVE-2017-15365: sql/event_data_objects↗2018-01-25

▶

📋Vendor Advisories

Red Hat

mariadb: Replication in sql/event_data_objects.cc occurs before ACL checks↗2017-10-06

▶

💬Community

Bugzilla

CVE-2017-15365 mariadb: Replication in sql/event_data_objects.cc occurs before ACL checks [openstack-rdo]↗2017-12-12

▶

Bugzilla

CVE-2017-15365 mariadb: Replication in sql/event_data_objects.cc occurs before ACL checks↗2017-12-11

▶

Bugzilla

CVE-2017-15365 mariadb: Replication in sql/event_data_objects.cc occurs before ACL checks [fedora-all]↗2017-12-11

▶