cbcvebase.
CVE-2020-15180
published 2021-05-27

CVE-2020-15180: A flaw was found in the mysql-wsrep component of mariadb. Lack of input sanitization in `wsrep_sst_method` allows for command injection that can be exploited…

PriorityP263critical9CVSS 3.1
AVNACHPRNUINSCCHIHAH
EPSS
5.54%
91.8th percentile
A flaw was found in the mysql-wsrep component of mariadb. Lack of input sanitization in `wsrep_sst_method` allows for command injection that can be exploited by a remote attacker to execute arbitrary commands on galera cluster nodes. This threatens the system's confidentiality, integrity, and availability. This flaw affects mariadb versions before 10.1.47, before 10.2.34, before 10.3.25, before 10.4.15 and before 10.5.6.

Affected

15 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debianmariadb-10.5< mariadb-10.5 1:10.5.6-1 (bullseye)mariadb-10.5 1:10.5.6-1 (bullseye)
galeraclustergalera_cluster_for_mysql>= 5.6 < 5.6.495.6.49
galeraclustergalera_cluster_for_mysql>= 5.7 < 5.7.315.7.31
galeraclustergalera_cluster_for_mysql>= 8.0 < 8.0.218.0.21
mariadbmariadb
mariadbmariadb>= 10.1.0 < 10.1.4710.1.47
mariadbmariadb>= 10.2.0 < 10.2.3410.2.34
mariadbmariadb>= 10.3.0 < 10.3.2510.3.25
mariadbmariadb>= 10.4.0 < 10.4.1510.4.15
mariadbmariadb>= 10.5.0 < 10.5.610.5.6
perconaxtradb_cluster< 5.6.49-28.42.25.6.49-28.42.2
perconaxtradb_cluster>= 5.7 < 5.7.31-31.45.25.7.31-31.45.2
perconaxtradb_cluster>= 8.0 < 8.0.20-11.28.0.20-11.2

Detection & IOCsextracted from sources · hover to see the quote

port4567/TCP
commandwsrep_sst_method
  • Monitor the WSREP service port 4567/TCP for unexpected or unauthorized connections, especially from nodes not part of the known Galera cluster.
  • Inspect the `wsrep_sst_method` configuration value for unexpected or shell-injectable content; exploitation occurs when a new node joins the cluster and the tainted value is passed to pthread_create() as arguments.
  • Focus detection on the wsrep_sst_donate_cb() code path; the patch introduces validation routines there to check wsrep_sst_method for valid input.
  • ·galera packages as shipped with Red Hat Enterprise Linux and Red Hat Software Collections are NOT affected because they do not contain the vulnerable mysql-wsrep component.
  • ·Exploitation requires both network access to the WSREP port (4567/TCP) AND prior knowledge of the Galera cluster name — unauthenticated remote exploitation without cluster knowledge is not straightforward.
  • ·Affected MariaDB versions are strictly before 10.1.47, 10.2.34, 10.3.25, 10.4.15, and 10.5.6; versions at or above these are patched.

CVSS provenance

nvdv3.19.0CRITICALCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv9.0CRITICAL
vendor_debian9.0CRITICAL
vendor_redhat9.0CRITICAL
vendor_ubuntu8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.