#VU33807 Input validation error in MariaDB - CVE-2016-5444
Vulnerability identifier: #VU33807
Vulnerability risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID:
CWE-ID:
CWE-20
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
MariaDB
Server applications /
Database software
Vendor: MariaDB Foundation
Description
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier and MariaDB before 5.5.49, 10.0.x before 10.0.25, and 10.1.x before 10.1.14 allows remote attackers to affect confidentiality via vectors related to Server: Connection.
Mitigation
Install update from vendor's website.
Vulnerable software versions
MariaDB: 5.5.20 - 5.5.48, 10.0.0 - 10.0.24, 10.1.0 - 10.1.13
External links
https://rhn.redhat.com/errata/RHSA-2016-0705.html
https://rhn.redhat.com/errata/RHSA-2016-1480.html
https://rhn.redhat.com/errata/RHSA-2016-1481.html
https://rhn.redhat.com/errata/RHSA-2016-1602.html
https://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
https://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html
https://www.securityfocus.com/bid/91787
https://www.securityfocus.com/bid/91987
https://www.securitytracker.com/id/1036362
https://www-01.ibm.com/support/docview.wss?uid=isg3T1024168
https://access.redhat.com/errata/RHSA-2016:1132
https://mariadb.com/kb/en/mariadb/mariadb-10025-release-notes/
https://mariadb.com/kb/en/mariadb/mariadb-10114-release-notes/
https://mariadb.com/kb/en/mariadb/mariadb-5549-release-notes/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
