Vulnerability Details : CVE-2017-15365
sql/event_data_objects.cc in MariaDB before 10.1.30 and 10.2.x before 10.2.10 and Percona XtraDB Cluster before 5.6.37-26.21-3 and 5.7.x before 5.7.19-29.22-3 allows remote authenticated users with SQL access to bypass intended access restrictions and replicate data definition language (DDL) statements to cluster nodes by leveraging incorrect ordering of DDL replication and ACL checking.
Products affected by CVE-2017-15365
- cpe:2.3:o:fedoraproject:fedora:26:*:*:*:*:*:*:*
- cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*
- cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*
- cpe:2.3:a:percona:xtradb_cluster:*:*:*:*:*:*:*:*
- cpe:2.3:a:percona:xtradb_cluster:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-15365
0.39%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 73 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-15365
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST | |
8.8
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
References for CVE-2017-15365
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ELCZV46WIYSJ6VMC65GMNN3A3QDRUJGK/
[SECURITY] Fedora 26 Update: mariadb-10.1.30-1.fc26 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=1524234
1524234 – (CVE-2017-15365) CVE-2017-15365 mariadb: Replication in sql/event_data_objects.cc occurs before ACL checksIssue Tracking;Third Party Advisory
-
https://www.percona.com/doc/percona-xtradb-cluster/LATEST/release-notes/Percona-XtraDB-Cluster-5.7.19-29.22-3.html
Percona XtraDB Cluster 5.7.19-29.22-3Release Notes;Vendor Advisory
-
https://mariadb.com/kb/en/library/mariadb-10210-release-notes/
MariaDB 10.2.10 Release Notes - MariaDB Knowledge BaseRelease Notes;Vendor Advisory
-
https://access.redhat.com/errata/RHSA-2019:1258
RHSA-2019:1258 - Security Advisory - Red Hat Customer Portal
-
https://www.percona.com/blog/2017/10/30/percona-xtradb-cluster-5-6-37-26-21-3-is-now-available/
Percona XtraDB Cluster 5.6.37-26.21-3 is Now Available - Percona Database Performance BlogRelease Notes;Vendor Advisory
-
https://www.debian.org/security/2018/dsa-4341
Debian -- Security Information -- DSA-4341-1 mariadb-10.1
-
https://github.com/MariaDB/server/commit/0b5a5258abbeaf8a0c3a18c7e753699787fdf46e
MW-416 DDL replication moved after acl checking · MariaDB/server@0b5a525 · GitHubPatch;Third Party Advisory
-
https://mariadb.com/kb/en/library/mariadb-10130-release-notes/
MariaDB 10.1.30 Release Notes - MariaDB Knowledge BaseRelease Notes;Vendor Advisory
Jump to