Input validation error in MariaDB

Published: 2018-07-18 | Updated: 2020-08-04

Risk	Low
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2018-3058
CWE-ID	CWE-20
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	MariaDB Server applications / Database software
Vendor	MariaDB Foundation

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Input validation error

EUVDB-ID: #VU33737

Risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-3058

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote authenticated user to manipulate data.

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: MyISAM). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior and 5.7.22 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).

Mitigation

Install update from vendor's website.

Vulnerable software versions

MariaDB: 5.5.20 - 5.5.60

CPE2.3

cpe:2.3:a:mariadb_foundation:mariadb:5.5.60:*:*:*:*:*:*:*

External links

https://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
https://www.securityfocus.com/bid/104766
https://www.securitytracker.com/id/1041294
https://access.redhat.com/errata/RHSA-2018:3655
https://access.redhat.com/errata/RHSA-2019:1258
https://access.redhat.com/errata/RHSA-2019:2327
https://lists.debian.org/debian-lts-announce/2018/08/msg00036.html
https://lists.debian.org/debian-lts-announce/2018/11/msg00004.html
https://security.netapp.com/advisory/ntap-20180726-0002/
https://usn.ubuntu.com/3725-1/
https://usn.ubuntu.com/3725-2/
https://www.debian.org/security/2018/dsa-4341

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.