#VU32224 Information disclosure in MariaDB - CVE-2016-5584
Vulnerability identifier: #VU32224
Vulnerability risk: Low
CVSSv4.0: 2.1 [CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID:
CWE-ID:
CWE-200
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
MariaDB
Server applications /
Database software
Vendor: MariaDB Foundation
Description
The vulnerability allows a remote privileged user to gain access to sensitive information.
Unspecified vulnerability in Oracle MySQL 5.5.52 and earlier, 5.6.33 and earlier, and 5.7.15 and earlier allows remote administrators to affect confidentiality via vectors related to Server: Security: Encryption.
Mitigation
Install update from vendor's website.
Vulnerable software versions
MariaDB: 5.5.20 - 5.5.52
External links
https://www.debian.org/security/2016/dsa-3706
https://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
https://www.securityfocus.com/bid/93735
https://www.securitytracker.com/id/1037050
https://mariadb.com/kb/en/mariadb/mariadb-10028-release-notes/
https://security.gentoo.org/glsa/201701-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
