VDB
CVE-2020-15180
CVE-2020-15180
PUBLISHED
CVSS 9.300000190734863 CRITICAL
A flaw was found in the mysql-wsrep component of mariadb. Lack of input sanitization in `wsrep_sst_method` allows for command injection that can be exploited by a remote attacker to execute arbitrary commands on galera cluster nodes. This threatens the system's confidentiality, integrity, and availability. This flaw affects mariadb versions before 10.1.47, before 10.2.34, before 10.3.25, before 10.4.15 and before 10.5.6.
EPSS 4.60% · 89.4th percentile
Risk Scores
CVSS v4.0
9.300000190734863
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
EPSS Score
4.60%
89.4th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitnami | mysql-client | 10.1.0, 10.5.0, 10.4.0 |
| Bitnami | mysql-client | 10.1.0, 10.5.0, 10.4.0 |
| Bitnami | mariadb | 10.5.0, 10.2.0, 10.1.0 |
| Bitnami | mariadb | 10.3.0, 10.1.0, 10.2.0 |
| Bitnami | mariadb-min | 10.2.0, 10.1.0, 10.4.0 |
| Bitnami | mariadb-min | 10.2.0, 10.1.0, 10.5.0 |
Timeline
- Dec 2, 2020 CVE Published
- May 28, 2021 EPSS Score
- Jul 30, 2021 EPSS Score
- Nov 29, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- Aug 2, 2022 EPSS Score
- Oct 2, 2022 EPSS Score
- Feb 1, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Apr 4, 2023 EPSS Score
References
- https://lists.debian.org/debian-lts-announce/2020/10/msg00021.html url
- https://bugzilla.redhat.com/show_bug.cgi?id=1894919 url
- https://nvd.nist.gov/vuln/detail/CVE-2020-15180 url
- https://security.gentoo.org/glsa/202011-14 url
- https://www.debian.org/security/2020/dsa-4776 url
- https://www.percona.com/blog/2020/10/30/cve-2020-15180-affects-percona-xtradb-cluster/ url