Description
A flaw was found in the mysql-wsrep component of mariadb. Lack of input sanitization in `wsrep_sst_method` allows for command injection that can be exploited by a remote attacker to execute arbitrary commands on galera cluster nodes. This threatens the system's confidentiality, integrity, and availability. This flaw affects mariadb versions before 10.1.47, before 10.2.34, before 10.3.25, before 10.4.15 and before 10.5.6.
References (5)
Core 5
Core References
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2020/10/msg00021.html
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2020/dsa-4776
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202011-14
Patch, Third Party Advisory x_refsource_confirm
https://www.percona.com/blog/2020/10/30/cve-2020-15180-affects-percona-xtradb-cluster/
Issue Tracking, Third Party Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=1894919
Scores
CVSS v3
9.0
EPSS
0.0460
EPSS Percentile
89.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Details
CWE
CWE-20
CWE-77
Status
published
Products (5)
debian/debian_linux
9.0
debian/debian_linux
10.0
galeracluster/galera_cluster_for_mysql
5.6 - 5.6.49
mariadb/mariadb
10.1.0 - 10.1.47
percona/xtradb_cluster
< 5.6.49-28.42.2
Published
May 27, 2021
Tracked Since
Feb 18, 2026