Information disclosure in mariadb (Alpine package)

1) Information disclosure

EUVDB-ID: #VU6896

Risk: Low

CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-3313

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a local high privileged attacker to obtain potentially sensitive information.

The weakness exists due to an error in MyISAM component. A local attacker can gain unauthorized access to critical data or complete access to all MySQL Server accessible data.

Successful exploitation of the vulnerability results in information disclosure.

Mitigation

Install update from vendor's website.

Vulnerable software versions

mariadb (Alpine package): 10.1.21-r0

CPE2.3

• cpe:2.3:o:alpine:mariadb_alpine_package:10.1.21-r0:*:*:*:*:alpine_linux:*:3.2

External links

https://git.alpinelinux.org/aports/commit/?id=bb3e58d46d4c459703177662c32c9cb954bb06e3
https://git.alpinelinux.org/aports/commit/?id=28850b3a43930dcaba7ce82fa55bb53853cf412d
https://git.alpinelinux.org/aports/commit/?id=0af8e020357e06efb024840fcd0c25246bec62db
https://git.alpinelinux.org/aports/commit/?id=1079181bed96dff7b7fa1d2dc1d5078a74bea57c
https://git.alpinelinux.org/aports/commit/?id=0e3ca69b1749cd4d06186562a84fb24e7cc4fcaf
https://git.alpinelinux.org/aports/commit/?id=b50b8e49e231f6726bbc4ffbeb94c0b2d8e51dda
https://git.alpinelinux.org/aports/commit/?id=417a960f840f84865d1066eceb04f147363cf8a3
https://git.alpinelinux.org/aports/commit/?id=3c979daea8b4edb2efde9199fe3ef7b4bb31f916

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.