CVE-2021-27928
published 2021-03-19CVE-2021-27928: A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server…
PriorityP265high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
38.18%
98.4th percentile
A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An untrusted search path leads to eval injection, in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an Oracle product.
Affected
20 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | mariadb-10.5 | < mariadb-10.5 1:10.5.9-1 (bullseye) | mariadb-10.5 1:10.5.9-1 (bullseye) |
| galeracluster | wsrep | <= 2021-03-03 | — |
| mariadb | mariadb | >= 10.2 < 10.2.37 | 10.2.37 |
| mariadb | mariadb | >= 10.3 < 10.3.28 | 10.3.28 |
| mariadb | mariadb | >= 10.4 < 10.4.18 | 10.4.18 |
| mariadb | mariadb | >= 10.5 < 10.5.9 | 10.5.9 |
| msrc | mariadb-10.3.28-1.cm1.aarch64.rpm_on_cbl_mariner_1.0_arm | — | — |
| msrc | mariadb-10.3.28-1.cm1.x86_64.rpm_on_cbl_mariner_1.0_x64 | — | — |
| msrc | mariadb-debuginfo-10.3.28-1.cm1.aarch64.rpm_on_cbl_mariner_1.0_arm | — | — |
| msrc | mariadb-debuginfo-10.3.28-1.cm1.x86_64.rpm_on_cbl_mariner_1.0_x64 | — | — |
| msrc | mariadb-devel-10.3.28-1.cm1.aarch64.rpm_on_cbl_mariner_1.0_arm | — | — |
| msrc | mariadb-devel-10.3.28-1.cm1.x86_64.rpm_on_cbl_mariner_1.0_x64 | — | — |
| msrc | mariadb-errmsg-10.3.28-1.cm1.aarch64.rpm_on_cbl_mariner_1.0_arm | — | — |
| msrc | mariadb-errmsg-10.3.28-1.cm1.x86_64.rpm_on_cbl_mariner_1.0_x64 | — | — |
| msrc | mariadb-server-10.3.28-1.cm1.aarch64.rpm_on_cbl_mariner_1.0_arm | — | — |
| msrc | mariadb-server-10.3.28-1.cm1.x86_64.rpm_on_cbl_mariner_1.0_x64 | — | — |
| msrc | mariadb-server-galera-10.3.28-1.cm1.aarch64.rpm_on_cbl_mariner_1.0_arm | — | — |
| msrc | mariadb-server-galera-10.3.28-1.cm1.x86_64.rpm_on_cbl_mariner_1.0_x64 | — | — |
| percona | percona_server | <= 2021-03-03 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor MariaDB/MySQL for SET GLOBAL wsrep_provider being set to a filesystem path (especially /tmp/) pointing to a .so shared library file — this is the core exploit primitive for CVE-2021-27928. ↗
- →Alert on MariaDB/MySQL process spawning unexpected child processes or outbound network connections, as exploitation loads a malicious ELF shared object via wsrep_provider causing RCE in the DB server process context. ↗
- →Detect ELF shared objects (format elf-so) dropped into world-writable directories such as /tmp and subsequently loaded by the MariaDB/MySQL process. ↗
- →Audit use of the SUPER privilege in MariaDB/MySQL; exploitation requires a SUPER-privileged account to modify wsrep_provider and wsrep_notify_cmd global variables. ↗
- ·The exploit requires the attacker to have a database account with SUPER privileges; without SUPER, the SET GLOBAL wsrep_provider command cannot be executed. ↗
- ·Both wsrep_provider and wsrep_notify_cmd are the two modifiable system variables that enable the exploit path; environments where Galera/wsrep is not configured may still be vulnerable if the variables are writable. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
osv7.2HIGH
vendor_debian7.2HIGH
vendor_msrc7.2HIGH
vendor_redhat7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2q7x-w5q3-rjxc: A remote code execution issue was discovered in MariaDB 10
ghsa_unreviewed·2022-05-24
CVE-2021-27928 [HIGH] CWE-78 GHSA-2q7x-w5q3-rjxc: A remote code execution issue was discovered in MariaDB 10
A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An untrusted search path leads to eval injection, in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an Oracle product.
OSV
CVE-2021-27928: A remote code execution issue was discovered in MariaDB 10
osv·2021-03-19·CVSS 7.2
CVE-2021-27928 [HIGH] CVE-2021-27928: A remote code execution issue was discovered in MariaDB 10
A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An untrusted search path leads to eval injection, in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an Oracle product.
CISA ICS
Festo Didactic SE MES PC
cisa_ics·2026-01-27·CVSS 7.5
[HIGH] Festo Didactic SE MES PC
ICS Advisory
##
Festo Didactic SE MES PC
Release DateJanuary 27, 2026
Alert CodeICSA-26-027-02
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
MES PCs shipped with Windows 10 come pre-installed with XAMPP. XAMPP is a bundle of third-party open-source applications including the Apache HTTP Server, the MariaDB database and more. From time to time, vulnerabilities in these applications are discovered. These are fixed in newer versions of XAMPP by updating the bundled applications. MES PCs shipped with Windows 10 include a copy of XAMPP which contains around 140 such vulnerabilities listed in this advisory. They can be fixed by replacing XAMPP with Festo Didactic's Factory Control Panel application.
The
Red Hat
mariadb: writable system variables allows a database user with SUPER privilege to execute arbitrary code as the system mysql user
vendor_redhat·2021-03-19·CVSS 7.2
CVE-2021-27928 [HIGH] CWE-426 mariadb: writable system variables allows a database user with SUPER privilege to execute arbitrary code as the system mysql user
mariadb: writable system variables allows a database user with SUPER privilege to execute arbitrary code as the system mysql user
A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An untrusted search path leads to eval injection, in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an Oracle product.
A vulnerability was found in mariadb and in the mysql wsrep patch that allows remote code execution. A user with SUPER privileges could execute arbitrary shell commands in the context of the mariadb server process.
Mitigation: Only use
Microsoft
A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37 10.3 before 10.3.28 10.4 before 10.4.18 and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch throu
vendor_msrc·2021-03-09·CVSS 7.2
CVE-2021-27928 [HIGH] CWE-94 A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37 10.3 before 10.3.28 10.4 before 10.4.18 and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch throu
A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37 10.3 before 10.3.28 10.4 before 10.4.18 and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An untrusted search path leads to eval injection in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an Oracle product.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is c
Debian
CVE-2021-27928: mariadb-10.5 - A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37, 10....
vendor_debian·2021·CVSS 7.2
CVE-2021-27928 [HIGH] CVE-2021-27928: mariadb-10.5 - A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37, 10....
A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An untrusted search path leads to eval injection, in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an Oracle product.
Scope: local
bullseye: resolved (fixed in 1:10.5.9-1)
No detection rules found.
CTF
medium / README
ctf_writeups·CVSS 9.1
[CRITICAL] medium / README
---
layout: default
title: Medium Machines
parent: Machines
nav_order: 2
description: "112+ Medium HTB machine writeups with walkthroughs"
permalink: /machines/medium/
---
# HackTheBox - Medium Machines
> Comprehensive index of retired HTB Medium-difficulty machines with key techniques and attack path summaries.
**Total: 100+ machines** | Sorted roughly by retirement date (newest first)
---
## Machine Index
| # | Machine | OS | Key Techniques | Attack Path Summary | Writeup |
|---|---------|-----|----------------|---------------------|---------|
| 1 | Signed | Linux | Code Signing Bypass, Certificate Abuse | Forge code signature to deploy malicious update, escalate via trusted binary execution | [0xdf](https://0xdf.gitlab.io/2026/02/07/htb-signed.html) |
| 2 | Voleur | Linux | Data E
CTF
Shibboleth / README
ctf_writeups
Shibboleth / README
# Pandora Writeup
## Enumeration
### Nmap
First, let's scan for open ports using `nmap`. We can quickly scan for open ports and store them in a variable: `ports=$(nmap -p- --min-rate=1000 -T4 10.10.11.124 | grep "^[0-9]" | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)`. Then, we can scan those specific ports in depth by running `nmap`'s built-in scripts: `nmap -p$ports -sC -sV 10.10.11.124`.
```
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://shibboleth.htb/
Service Info: Host: shibboleth.htb
```
It looks like there is an Apache webserver running on port 80. Attempting to visit the website redirects us to `http://shibboleth.htb`, so let's add that to `/etc/hosts`: `echo "10.10.11
CTF
Shibboleth / README
ctf_writeups·CVSS 7.2
[HIGH] Shibboleth / README
# Shibboleth - HackTheBox - Writeup
Linux, 30 Base Points, Medium
## Machine
## TL;DR
To solve this machine, we begin by enumerating open services using ```namp``` – finding port ```80``` and by UDP scanning we found also the port ```623```.
***User***: Found vhosts of Zabbix system, Using ```scanner/ipmi/ipmi_dumphashes``` metasploit module we dumped the ```Administrator``` password of Zabbix, Using Zabbix we get a remote command execution and we get a reverse shell as ```zabbix```, Using the same password before we get the user ```ipmi-svc```.
***Root***: Exploiting the DB ```10.3.25-MariaDB``` using [CVE-2021-27928](https://www.exploit-db.com/exploits/49765) to get a reverse shell as ```root```.
## Shibboleth Solution
### User
Let's start with ```nmap``` scanning:
```consol
http://packetstormsecurity.com/files/162177/MariaDB-10.2-Command-Execution.htmlhttps://jira.mariadb.org/browse/MDEV-25179https://lists.debian.org/debian-lts-announce/2021/03/msg00028.htmlhttps://mariadb.com/kb/en/mariadb-10237-release-notes/https://mariadb.com/kb/en/mariadb-10328-release-notes/https://mariadb.com/kb/en/mariadb-10418-release-notes/https://mariadb.com/kb/en/mariadb-1059-release-notes/https://mariadb.com/kb/en/security/https://security.gentoo.org/glsa/202105-28http://packetstormsecurity.com/files/162177/MariaDB-10.2-Command-Execution.htmlhttps://jira.mariadb.org/browse/MDEV-25179https://lists.debian.org/debian-lts-announce/2021/03/msg00028.htmlhttps://mariadb.com/kb/en/mariadb-10237-release-notes/https://mariadb.com/kb/en/mariadb-10328-release-notes/https://mariadb.com/kb/en/mariadb-10418-release-notes/https://mariadb.com/kb/en/mariadb-1059-release-notes/https://mariadb.com/kb/en/security/https://security.gentoo.org/glsa/202105-28
2021-03-19
Published