MariaDB up to 10.5.6 on Windows Named Pipe Connection channel accessible

Summaryinfo

A vulnerability marked as critical has been reported in MariaDB up to 10.1.47/10.2.34/10.3.25/10.4.15/10.5.6 on Windows. Affected by this vulnerability is an unknown functionality of the component Named Pipe Connection Handler. The manipulation leads to channel accessible. This vulnerability is listed as CVE-2020-28912. The attack may be initiated remotely. There is no available exploit. It is suggested to upgrade the affected component.

Detailsinfo

A vulnerability was found in MariaDB up to 10.1.47/10.2.34/10.3.25/10.4.15/10.5.6 on Windows (Database Software) and classified as critical. This issue affects an unknown code of the component Named Pipe Connection Handler. The manipulation with an unknown input leads to a channel accessible vulnerability. Using CWE to declare the problem leads to CWE-300. The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint. Impacted is confidentiality, integrity, and availability.

The weakness was presented 12/25/2020. The advisory is shared at hackerone.com. The identification of this vulnerability is CVE-2020-28912. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1557 for this issue.

Upgrading to version 10.1.48, 10.2.35, 10.3.26, 10.4.16 or 10.5.7 eliminates this vulnerability.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Type

• Database Software

Name

• MariaDB

Version

• 10.1.0
• 10.1.1
• 10.1.2
• 10.1.3
• 10.1.4
• 10.1.5
• 10.1.6
• 10.1.7
• 10.1.8
• 10.1.9
• 10.1.10
• 10.1.11
• 10.1.12
• 10.1.13
• 10.1.14
• 10.1.15
• 10.1.16
• 10.1.17
• 10.1.18
• 10.1.19
• 10.1.20
• 10.1.21
• 10.1.22
• 10.1.23
• 10.1.24
• 10.1.25
• 10.1.26
• 10.1.27
• 10.1.28
• 10.1.29
• 10.1.30
• 10.1.31
• 10.1.32
• 10.1.33
• 10.1.34
• 10.1.35
• 10.1.36
• 10.1.37
• 10.1.38
• 10.1.39
• 10.1.40
• 10.1.41
• 10.1.42
• 10.1.43
• 10.1.44
• 10.1.45
• 10.1.46
• 10.1.47
• 10.2.0
• 10.2.1
• 10.2.2
• 10.2.3
• 10.2.4
• 10.2.5
• 10.2.6
• 10.2.7
• 10.2.8
• 10.2.9
• 10.2.10
• 10.2.11
• 10.2.12
• 10.2.13
• 10.2.14
• 10.2.15
• 10.2.16
• 10.2.17
• 10.2.18
• 10.2.19
• 10.2.20
• 10.2.21
• 10.2.22
• 10.2.23
• 10.2.24
• 10.2.25
• 10.2.26
• 10.2.27
• 10.2.28
• 10.2.29
• 10.2.30
• 10.2.31
• 10.2.32
• 10.2.33
• 10.2.34
• 10.3.0
• 10.3.1
• 10.3.2
• 10.3.3
• 10.3.4
• 10.3.5
• 10.3.6
• 10.3.7
• 10.3.8
• 10.3.9
• 10.3.10
• 10.3.11
• 10.3.12
• 10.3.13
• 10.3.14
• 10.3.15
• 10.3.16
• 10.3.17
• 10.3.18
• 10.3.19
• 10.3.20
• 10.3.21
• 10.3.22
• 10.3.23
• 10.3.24
• 10.3.25
• 10.4.0
• 10.4.1
• 10.4.2
• 10.4.3
• 10.4.4
• 10.4.5
• 10.4.6
• 10.4.7
• 10.4.8
• 10.4.9
• 10.4.10
• 10.4.11
• 10.4.12
• 10.4.13
• 10.4.14
• 10.4.15
• 10.5.0
• 10.5.1
• 10.5.2
• 10.5.3
• 10.5.4
• 10.5.5
• 10.5.6

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion