CVE-2020-15180
published 2021-05-27CVE-2020-15180: A flaw was found in the mysql-wsrep component of mariadb. Lack of input sanitization in `wsrep_sst_method` allows for command injection that can be exploited…
PriorityP263critical9CVSS 3.1
AVNACHPRNUINSCCHIHAH
EPSS
5.54%
91.8th percentile
A flaw was found in the mysql-wsrep component of mariadb. Lack of input sanitization in `wsrep_sst_method` allows for command injection that can be exploited by a remote attacker to execute arbitrary commands on galera cluster nodes. This threatens the system's confidentiality, integrity, and availability. This flaw affects mariadb versions before 10.1.47, before 10.2.34, before 10.3.25, before 10.4.15 and before 10.5.6.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | mariadb-10.5 | < mariadb-10.5 1:10.5.6-1 (bullseye) | mariadb-10.5 1:10.5.6-1 (bullseye) |
| galeracluster | galera_cluster_for_mysql | >= 5.6 < 5.6.49 | 5.6.49 |
| galeracluster | galera_cluster_for_mysql | >= 5.7 < 5.7.31 | 5.7.31 |
| galeracluster | galera_cluster_for_mysql | >= 8.0 < 8.0.21 | 8.0.21 |
| mariadb | mariadb | — | — |
| mariadb | mariadb | >= 10.1.0 < 10.1.47 | 10.1.47 |
| mariadb | mariadb | >= 10.2.0 < 10.2.34 | 10.2.34 |
| mariadb | mariadb | >= 10.3.0 < 10.3.25 | 10.3.25 |
| mariadb | mariadb | >= 10.4.0 < 10.4.15 | 10.4.15 |
| mariadb | mariadb | >= 10.5.0 < 10.5.6 | 10.5.6 |
| percona | xtradb_cluster | < 5.6.49-28.42.2 | 5.6.49-28.42.2 |
| percona | xtradb_cluster | >= 5.7 < 5.7.31-31.45.2 | 5.7.31-31.45.2 |
| percona | xtradb_cluster | >= 8.0 < 8.0.20-11.2 | 8.0.20-11.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor the WSREP service port 4567/TCP for unexpected or unauthorized connections, especially from nodes not part of the known Galera cluster. ↗
- →Inspect the `wsrep_sst_method` configuration value for unexpected or shell-injectable content; exploitation occurs when a new node joins the cluster and the tainted value is passed to pthread_create() as arguments. ↗
- →Focus detection on the wsrep_sst_donate_cb() code path; the patch introduces validation routines there to check wsrep_sst_method for valid input. ↗
- ·galera packages as shipped with Red Hat Enterprise Linux and Red Hat Software Collections are NOT affected because they do not contain the vulnerable mysql-wsrep component. ↗
- ·Exploitation requires both network access to the WSREP port (4567/TCP) AND prior knowledge of the Galera cluster name — unauthenticated remote exploitation without cluster knowledge is not straightforward. ↗
- ·Affected MariaDB versions are strictly before 10.1.47, 10.2.34, 10.3.25, 10.4.15, and 10.5.6; versions at or above these are patched. ↗
CVSS provenance
nvdv3.19.0CRITICALCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv9.0CRITICAL
vendor_debian9.0CRITICAL
vendor_redhat9.0CRITICAL
vendor_ubuntu8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
MariaDB vulnerabilities
vendor_ubuntu·2020-10-27·CVSS 8.8
CVE-2020-2760 [HIGH] MariaDB vulnerabilities
Title: MariaDB vulnerabilities
Summary: Several security issues were fixed in MariaDB.
It was discovered that MariaDB didn't properly validate the content of a packet
received from a server. A remote attacker could use this vulnerability to sent
a specialy crafted file to cause a denial of service. (CVE-2020-13249)
It was discovered that MariaDB has other security issues. An attacker can cause
a hang or frequently repeatable crash (denial of service). (CVE-2020-15180,
CVE-2020-2752, CVE-2020-2760, CVE-2020-2812, CVE-2020-2814)
In addition to security fixes, the updated packages contain bug fixes, new
features, and possibly incompatible changes.
Instructions: This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart
Red Hat
mariadb: Insufficient SST method name check leading to code injection in mysql-wsrep
vendor_redhat·2020-10-06·CVSS 9.0
CVE-2020-15180 [CRITICAL] CWE-94 mariadb: Insufficient SST method name check leading to code injection in mysql-wsrep
mariadb: Insufficient SST method name check leading to code injection in mysql-wsrep
A flaw was found in the mysql-wsrep component of mariadb. Lack of input sanitization in `wsrep_sst_method` allows for command injection that can be exploited by a remote attacker to execute arbitrary commands on galera cluster nodes. This threatens the system's confidentiality, integrity, and availability. This flaw affects mariadb versions before 10.1.47, before 10.2.34, before 10.3.25, before 10.4.15 and before 10.5.6.
A flaw was found in the mysql-wsrep component of mariadb. Lack of input sanitization in `wsrep_sst_method` allows for command injection that can be exploited by a remote attacker to execute arbitrary commands on galera cluster nodes. This threatens the system's confidentiality, integrity
Debian
CVE-2020-15180: mariadb-10.5 - A flaw was found in the mysql-wsrep component of mariadb. Lack of input sanitiza...
vendor_debian·2020·CVSS 9.0
CVE-2020-15180 [CRITICAL] CVE-2020-15180: mariadb-10.5 - A flaw was found in the mysql-wsrep component of mariadb. Lack of input sanitiza...
A flaw was found in the mysql-wsrep component of mariadb. Lack of input sanitization in `wsrep_sst_method` allows for command injection that can be exploited by a remote attacker to execute arbitrary commands on galera cluster nodes. This threatens the system's confidentiality, integrity, and availability. This flaw affects mariadb versions before 10.1.47, before 10.2.34, before 10.3.25, before 10.4.15 and before 10.5.6.
Scope: local
bullseye: resolved (fixed in 1:10.5.6-1)
OSV
CVE-2020-15180: A flaw was found in the mysql-wsrep component of mariadb
osv·2021-05-27·CVSS 9.0
CVE-2020-15180 [CRITICAL] CVE-2020-15180: A flaw was found in the mysql-wsrep component of mariadb
A flaw was found in the mysql-wsrep component of mariadb. Lack of input sanitization in `wsrep_sst_method` allows for command injection that can be exploited by a remote attacker to execute arbitrary commands on galera cluster nodes. This threatens the system's confidentiality, integrity, and availability. This flaw affects mariadb versions before 10.1.47, before 10.2.34, before 10.3.25, before 10.4.15 and before 10.5.6.
OSV
mariadb-10.1, mariadb-10.3 vulnerabilities
osv·2020-10-27·CVSS 8.8
CVE-2020-13249 [HIGH] mariadb-10.1, mariadb-10.3 vulnerabilities
mariadb-10.1, mariadb-10.3 vulnerabilities
It was discovered that MariaDB didn't properly validate the content of a packet
received from a server. A remote attacker could use this vulnerability to sent
a specialy crafted file to cause a denial of service. (CVE-2020-13249)
It was discovered that MariaDB has other security issues. An attacker can cause
a hang or frequently repeatable crash (denial of service). (CVE-2020-15180,
CVE-2020-2752, CVE-2020-2760, CVE-2020-2812, CVE-2020-2814)
In addition to security fixes, the updated packages contain bug fixes, new
features, and possibly incompatible changes.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2020-15180 mariadb:10.4/galera: mariadb: Insufficient SST method name check leading to code injection in mysql-wsrep [fedora-all]
bugzilla·2020-11-05·CVSS 9.0
CVE-2020-15180 [CRITICAL] CVE-2020-15180 mariadb:10.4/galera: mariadb: Insufficient SST method name check leading to code injection in mysql-wsrep [fedora-all]
CVE-2020-15180 mariadb:10.4/galera: mariadb: Insufficient SST method name check leading to code injection in mysql-wsrep [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit messag
Bugzilla
CVE-2020-15180 mariadb:10.3/galera: mariadb: Insufficient SST method name check leading to code injection in mysql-wsrep [fedora-all]
bugzilla·2020-11-05·CVSS 9.0
CVE-2020-15180 [CRITICAL] CVE-2020-15180 mariadb:10.3/galera: mariadb: Insufficient SST method name check leading to code injection in mysql-wsrep [fedora-all]
CVE-2020-15180 mariadb:10.3/galera: mariadb: Insufficient SST method name check leading to code injection in mysql-wsrep [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit messag
Bugzilla
CVE-2020-15180 mariadb: Insufficient SST method name check leading to code injection in mysql-wsrep
bugzilla·2020-11-05·CVSS 9.0
CVE-2020-15180 [CRITICAL] CVE-2020-15180 mariadb: Insufficient SST method name check leading to code injection in mysql-wsrep
CVE-2020-15180 mariadb: Insufficient SST method name check leading to code injection in mysql-wsrep
A malicious party with access to the WSREP service port (4567/TCP) as well as prerequisite knowledge of the configuration of the Galera cluster name is required in order to exploit this vulnerability, which leads to remote code execution via the WSREP protocol.
Discussion:
Created galera tracking bugs for this issue:
Affects: epel-7 [bug 1894933]
Affects: fedora-all [bug 1894932]
Created mariadb tracking bugs for this issue:
Affects: fedora-all [bug 1894931]
Created mariadb:10.3/galera tracking bugs for this issue:
Affects: fedora-all [bug 1894935]
Created mariadb:10.3/mariadb tracking bugs for this issue:
Affects: fedora-all [bug 1894934]
Created mariadb:10.4/galera tracking
Bugzilla
CVE-2020-15180 mariadb:10.4/mariadb: Insufficient SST method name check leading to code injection in mysql-wsrep [fedora-all]
bugzilla·2020-11-05·CVSS 9.0
CVE-2020-15180 [CRITICAL] CVE-2020-15180 mariadb:10.4/mariadb: Insufficient SST method name check leading to code injection in mysql-wsrep [fedora-all]
CVE-2020-15180 mariadb:10.4/mariadb: Insufficient SST method name check leading to code injection in mysql-wsrep [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE
Bugzilla
CVE-2020-15180 mariadb:10.3/mariadb: Insufficient SST method name check leading to code injection in mysql-wsrep [fedora-all]
bugzilla·2020-11-05·CVSS 9.0
CVE-2020-15180 [CRITICAL] CVE-2020-15180 mariadb:10.3/mariadb: Insufficient SST method name check leading to code injection in mysql-wsrep [fedora-all]
CVE-2020-15180 mariadb:10.3/mariadb: Insufficient SST method name check leading to code injection in mysql-wsrep [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE
Bugzilla
CVE-2020-15180 mariadb: mariadb, galera: WSREP service port could allow remote code execution via the WSREP protocol [fedora-all]
bugzilla·2020-11-05·CVSS 9.0
CVE-2020-15180 [CRITICAL] CVE-2020-15180 mariadb: mariadb, galera: WSREP service port could allow remote code execution via the WSREP protocol [fedora-all]
CVE-2020-15180 mariadb: mariadb, galera: WSREP service port could allow remote code execution via the WSREP protocol [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Bugzilla
CVE-2020-15180 galera: mariadb: Insufficient SST method name check leading to code injection in mysql-wsrep [fedora-all]
bugzilla·2020-11-05·CVSS 9.0
CVE-2020-15180 [CRITICAL] CVE-2020-15180 galera: mariadb: Insufficient SST method name check leading to code injection in mysql-wsrep [fedora-all]
CVE-2020-15180 galera: mariadb: Insufficient SST method name check leading to code injection in mysql-wsrep [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: thi
Bugzilla
CVE-2020-15180 mariadb: mariadb, galera: WSREP service port could allow remote code execution via the WSREP protocol [openstack-rdo]
bugzilla·2020-11-05·CVSS 9.0
CVE-2020-15180 [CRITICAL] CVE-2020-15180 mariadb: mariadb, galera: WSREP service port could allow remote code execution via the WSREP protocol [openstack-rdo]
CVE-2020-15180 mariadb: mariadb, galera: WSREP service port could allow remote code execution via the WSREP protocol [openstack-rdo]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of openstack-rdo.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit mess
Bugzilla
CVE-2020-15180 mariadb: Insufficient SST method name check leading to code injection in mysql-wsrep [fedora-all]
bugzilla·2020-11-05·CVSS 9.0
CVE-2020-15180 [CRITICAL] CVE-2020-15180 mariadb: Insufficient SST method name check leading to code injection in mysql-wsrep [fedora-all]
CVE-2020-15180 mariadb: Insufficient SST method name check leading to code injection in mysql-wsrep [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue
Bugzilla
CVE-2020-15180 galera: mariadb, galera: WSREP service port could allow remote code execution via the WSREP protocol [epel-7]
bugzilla·2020-11-05·CVSS 9.0
CVE-2020-15180 [CRITICAL] CVE-2020-15180 galera: mariadb, galera: WSREP service port could allow remote code execution via the WSREP protocol [epel-7]
CVE-2020-15180 galera: mariadb, galera: WSREP service port could allow remote code execution via the WSREP protocol [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussi
Bugzilla
CVE-2020-15180 galera: mariadb: Insufficient SST method name check leading to code injection in mysql-wsrep [epel-7]
bugzilla·2020-11-05·CVSS 9.0
CVE-2020-15180 [CRITICAL] CVE-2020-15180 galera: mariadb: Insufficient SST method name check leading to code injection in mysql-wsrep [epel-7]
CVE-2020-15180 galera: mariadb: Insufficient SST method name check leading to code injection in mysql-wsrep [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use
Bugzilla
CVE-2020-15180 galera: mariadb, galera: WSREP service port could allow remote code execution via the WSREP protocol [fedora-all]
bugzilla·2020-11-05·CVSS 9.0
CVE-2020-15180 [CRITICAL] CVE-2020-15180 galera: mariadb, galera: WSREP service port could allow remote code execution via the WSREP protocol [fedora-all]
CVE-2020-15180 galera: mariadb, galera: WSREP service port could allow remote code execution via the WSREP protocol [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
N
https://bugzilla.redhat.com/show_bug.cgi?id=1894919https://lists.debian.org/debian-lts-announce/2020/10/msg00021.htmlhttps://security.gentoo.org/glsa/202011-14https://www.debian.org/security/2020/dsa-4776https://www.percona.com/blog/2020/10/30/cve-2020-15180-affects-percona-xtradb-cluster/https://bugzilla.redhat.com/show_bug.cgi?id=1894919https://lists.debian.org/debian-lts-announce/2020/10/msg00021.htmlhttps://security.gentoo.org/glsa/202011-14https://www.debian.org/security/2020/dsa-4776https://www.percona.com/blog/2020/10/30/cve-2020-15180-affects-percona-xtradb-cluster/
2021-05-27
Published