#VU33737 Input validation error in MariaDB - CVE-2018-3058
Vulnerability identifier: #VU33737
Vulnerability risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-3058
CWE-ID:
CWE-20
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
MariaDB
Server applications /
Database software
Vendor: MariaDB Foundation
Description
The vulnerability allows a remote authenticated user to manipulate data.
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: MyISAM). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior and 5.7.22 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).
Mitigation
Install update from vendor's website.
Vulnerable software versions
MariaDB: 5.5.20 - 5.5.60
External links
https://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
https://www.securityfocus.com/bid/104766
https://www.securitytracker.com/id/1041294
https://access.redhat.com/errata/RHSA-2018:3655
https://access.redhat.com/errata/RHSA-2019:1258
https://access.redhat.com/errata/RHSA-2019:2327
https://lists.debian.org/debian-lts-announce/2018/08/msg00036.html
https://lists.debian.org/debian-lts-announce/2018/11/msg00004.html
https://security.netapp.com/advisory/ntap-20180726-0002/
https://usn.ubuntu.com/3725-1/
https://usn.ubuntu.com/3725-2/
https://www.debian.org/security/2018/dsa-4341
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
