CVE-2020-15180

EPSS 4.6%
Published 27.05.2021 20:15:07
Last modified 21.11.2024 05:05:01
Source security-advisories@github.com
Teams watchlist Login
Open Login

A flaw was found in the mysql-wsrep component of mariadb. Lack of input sanitization in `wsrep_sst_method` allows for command injection that can be exploited by a remote attacker to execute arbitrary commands on galera cluster nodes. This threatens the system's confidentiality, integrity, and availability. This flaw affects mariadb versions before 10.1.47, before 10.2.34, before 10.3.25, before 10.4.15 and before 10.5.6.

Affected products Warnungen 0 Metrics 3 CWE 2 References 8

Data is provided by the National Vulnerability Database (NVD)

Mariadb ≫ Mariadb Version >= 10.1.0 < 10.1.47

Mariadb ≫ Mariadb Version >= 10.2.0 < 10.2.34

Mariadb ≫ Mariadb Version >= 10.3.0 < 10.3.25

Mariadb ≫ Mariadb Version >= 10.4.0 < 10.4.15

Mariadb ≫ Mariadb Version >= 10.5.0 < 10.5.6

Debian ≫ Debian Linux Version9.0

Debian ≫ Debian Linux Version10.0

Percona ≫ Xtradb Cluster Version < 5.6.49-28.42.2

Percona ≫ Xtradb Cluster Version >= 5.7 < 5.7.31-31.45.2

Percona ≫ Xtradb Cluster Version >= 8.0 < 8.0.20-11.2

Galeracluster ≫ Galera Cluster For Mysql Version >= 5.6 < 5.6.49

Galeracluster ≫ Galera Cluster For Mysql Version >= 5.7 < 5.7.31

Galeracluster ≫ Galera Cluster For Mysql Version >= 8.0 < 8.0.21

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	4.6%	0.888

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9	2.2	6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

https://bugzilla.redhat.com/show_bug.cgi?id=1894919

Third Party Advisory

Issue Tracking

https://lists.debian.org/debian-lts-announce/2020/10/msg00021.html

Third Party Advisory

Mailing List

https://security.gentoo.org/glsa/202011-14

Third Party Advisory

https://www.debian.org/security/2020/dsa-4776

Third Party Advisory

https://www.percona.com/blog/2020/10/30/cve-2020-15180-affects-percona-xtradb-cluster/

Patch

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2020-15180

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-15180

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-15180

EUVD