Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
0

CVE-2020-15180

Disclosure Date: May 27, 2021
CVE-2020-15180 CVSS v3 Base Score: 9.0
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A flaw was found in the mysql-wsrep component of mariadb. Lack of input sanitization in wsrep_sst_method allows for command injection that can be exploited by a remote attacker to execute arbitrary commands on galera cluster nodes. This threatens the system’s confidentiality, integrity, and availability. This flaw affects mariadb versions before 10.1.47, before 10.2.34, before 10.3.25, before 10.4.15 and before 10.5.6.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
9.0 Critical
Impact Score:
6
Exploitability Score:
2.2
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
High
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Changed
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
mariadb mariadb 10.1.47, mariadb 10.2.34, mariadb 10.3.25, mariadb 10.4.15, mariadb 10.5.6
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • debian,
  • galeracluster,
  • mariadb,
  • percona

Products

  • debian linux 10.0,
  • debian linux 9.0,
  • galera cluster for mysql,
  • mariadb,
  • xtradb cluster
Technical Analysis