CVE-2022-31621 — Improper Locking in Mariadb

CWE-667 — Improper Locking8 documents7 sources

Severity

5.5MEDIUMNVD

EPSS

0.0%

top 90.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mariadb

Timeline

PublishedMay 25

Latest updateMay 26

Description

MariaDB Server before 10.7 is vulnerable to Denial of Service. In extra/mariabackup/ds_xbstream.cc, when an error occurs (stream_ctxt->dest_file == NULL) while executing the method xbstream_open, the held lock is not released correctly, which allows local users to trigger a denial of service due to the deadlock. Note: The vendor argues this is just an improper locking bug and not a vulnerability with adverse effects.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages1 packages

▶NVDmariadb/mariadb10.3.0 — 10.3.32+4

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-vx82-3vmh-hc4q: MariaDB Server before 10↗2022-05-26

▶

OSV

CVE-2022-31621: ** DISPUTED ** MariaDB Server before 10↗2022-05-25

▶

CVEList

CVE-2022-31621: MariaDB Server before 10↗2022-05-25

▶

OSV

CVE-2022-31621: MariaDB Server before 10↗2022-05-25

▶

📋Vendor Advisories

Microsoft

MariaDB Server before 10.7 is vulnerable to Denial of Service. In extra/mariabackup/ds_xbstream.cc when an error occurs (stream_ctxt->dest_file == NULL) while executing the method xbstream_open the he↗2022-05-10

▶

Debian

CVE-2022-31621: mariadb-10.5 - MariaDB Server before 10.7 is vulnerable to Denial of Service. In extra/mariabac...↗2022

▶

Red Hat

mariadb: improper locking due to unreleased lock in the ds_xbstream.cc↗2021-09-08

▶