U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Keyword (text search): cpe:2.3:a:mariadb:mariadb:10.8.0:*:*:*:*:*:*:*
  • CPE Name Search: true
There are 17 matching records.
Displaying matches 1 through 17.
Vuln ID Summary CVSS Severity
CVE-2023-5157

A vulnerability was found in MariaDB. An OpenVAS port scan on ports 3306 and 4567 allows a malicious remote client to cause a denial of service.

Published: September 27, 2023; 11:19:41 AM -0400
V3.1: 7.5 HIGH
V2.0:(not available)
CVE-2022-47015

MariaDB Server before 10.3.34 thru 10.9.3 is vulnerable to Denial of Service. It is possible for function spider_db_mbase::print_warnings to dereference a null pointer.

Published: January 20, 2023; 2:15:17 PM -0500
V3.1: 6.5 MEDIUM
V2.0:(not available)
CVE-2022-38791

In MariaDB before 10.9.2, compress_write in extra/mariabackup/ds_compress.cc does not release data_mutex upon a stream write failure, which allows local users to trigger a deadlock.

Published: August 27, 2022; 4:15:08 PM -0400
V3.1: 5.5 MEDIUM
V2.0:(not available)
CVE-2022-32091

MariaDB v10.7 was discovered to contain an use-after-poison in in __interceptor_memset at /libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc.

Published: July 01, 2022; 4:15:08 PM -0400
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2022-32089

MariaDB v10.5 to v10.7 was discovered to contain a segmentation fault via the component st_select_lex_unit::exclude_level.

Published: July 01, 2022; 4:15:08 PM -0400
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2022-32084

MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component sub_select.

Published: July 01, 2022; 4:15:08 PM -0400
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2022-32082

MariaDB v10.5 to v10.7 was discovered to contain an assertion failure at table->get_ref_count() == 0 in dict0dict.cc.

Published: July 01, 2022; 4:15:08 PM -0400
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2022-32081

MariaDB v10.4 to v10.7 was discovered to contain an use-after-poison in prepare_inplace_add_virtual at /storage/innobase/handler/handler0alter.cc.

Published: July 01, 2022; 4:15:08 PM -0400
V3.1: 7.5 HIGH
V2.0: 7.5 HIGH
CVE-2022-27384

An issue in the component Item_subselect::init_expr_cache_tracker of MariaDB Server v10.6 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.

Published: April 12, 2022; 4:15:08 PM -0400
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2022-27383

MariaDB Server v10.6 and below was discovered to contain an use-after-free in the component my_strcasecmp_8bit, which is exploited via specially crafted SQL statements.

Published: April 12, 2022; 4:15:08 PM -0400
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2022-27378

An issue in the component Create_tmp_table::finalize of MariaDB Server v10.7 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.

Published: April 12, 2022; 4:15:08 PM -0400
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2018-25032

zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

Published: March 25, 2022; 5:15:08 AM -0400
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2022-24052

MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.

Published: February 18, 2022; 3:15:18 PM -0500
V3.1: 7.8 HIGH
V2.0: 4.6 MEDIUM
CVE-2022-24051

MariaDB CONNECT Storage Engine Format String Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of a user-supplied string before using it as a format specifier. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16193.

Published: February 18, 2022; 3:15:17 PM -0500
V3.1: 7.8 HIGH
V2.0: 4.6 MEDIUM
CVE-2022-24050

MariaDB CONNECT Storage Engine Use-After-Free Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16207.

Published: February 18, 2022; 3:15:17 PM -0500
V3.1: 7.8 HIGH
V2.0: 4.6 MEDIUM
CVE-2022-24048

MariaDB CONNECT Storage Engine Stack-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16191.

Published: February 18, 2022; 3:15:17 PM -0500
V3.1: 7.8 HIGH
V2.0: 4.6 MEDIUM
CVE-2017-12419

If, after successful installation of MantisBT through 2.5.2 on MySQL/MariaDB, the administrator does not remove the 'admin' directory (as recommended in the "Post-installation and upgrade tasks" section of the MantisBT Admin Guide), and the MySQL client has a local_infile setting enabled (in php.ini mysqli.allow_local_infile, or the MySQL client config file, depending on the PHP setup), an attacker may take advantage of MySQL's "connect file read" feature to remotely access files on the MantisBT server.

Published: August 05, 2017; 11:29:00 AM -0400
V3.0: 4.9 MEDIUM
V2.0: 4.0 MEDIUM