Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.MARIADB_10_0_2.NASL
HistoryNov 18, 2022 - 12:00 a.m.

MariaDB 10.0.0 < 10.0.2 Multiple Vulnerabilities

2022-11-1800:00:00
This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
14
mariadb
oracle mysql
vulnerabilities
remote
authenticated
denial of service
confidentiality
integrity
availability
nessus
scanner

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

5.5 Medium

AI Score

Confidence

High

0.032 Low

EPSS

Percentile

91.2%

JSON

The version of MariaDB installed on the remote host is prior to 10.0.2. It is, therefore, affected by multiple vulnerabilities as referenced in the mariadb-10-0-2-release-notes advisory.

  • Oracle MySQL 5.1.67 and earlier and 5.5.29 and earlier, and MariaDB 5.5.28a and possibly other versions, allows remote authenticated users to cause a denial of service (mysqld crash) via a SELECT command with an UpdateXML command containing XML with a large number of unique, nested elements. (CVE-2012-5614)

  • Unspecified vulnerability in Oracle MySQL 5.1.67 and earlier, 5.5.29 and earlier, and 5.6.10 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Locking.
    (CVE-2013-1506)

  • Unspecified vulnerability in Oracle MySQL 5.5.29 and earlier allows remote authenticated users to affect availability via unknown vectors related to Data Manipulation Language. (CVE-2013-1512)

  • Unspecified vulnerability in Oracle MySQL 5.1.67 and earlier and 5.5.29 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to Server Locking. (CVE-2013-1521)

  • Unspecified vulnerability in Oracle MySQL 5.5.29 and earlier and 5.6.10 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to Server Optimizer. (CVE-2013-1523)

  • Unspecified vulnerability in Oracle MySQL 5.5.29 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Replication. (CVE-2013-1526)

  • Unspecified vulnerability in Oracle MySQL 5.1.67 and earlier and 5.5.29 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors.
    (CVE-2013-1552)

  • Unspecified vulnerability in Oracle MySQL 5.1.67 and earlier, and 5.5.29 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server Partition.
    (CVE-2013-1555)

  • Unspecified vulnerability in Oracle MySQL 5.1.67 and earlier, 5.5.29 and earlier, and 5.6.10 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to Information Schema. (CVE-2013-2378)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(167854);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/12/26");

  script_cve_id(
    "CVE-2012-5614",
    "CVE-2013-1506",
    "CVE-2013-1512",
    "CVE-2013-1521",
    "CVE-2013-1523",
    "CVE-2013-1526",
    "CVE-2013-1552",
    "CVE-2013-1555",
    "CVE-2013-2378"
  );

  script_name(english:"MariaDB 10.0.0 < 10.0.2 Multiple Vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"The remote database server is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of MariaDB installed on the remote host is prior to 10.0.2. It is, therefore, affected by multiple
vulnerabilities as referenced in the mariadb-10-0-2-release-notes advisory.

  - Oracle MySQL 5.1.67 and earlier and 5.5.29 and earlier, and MariaDB 5.5.28a and possibly other versions,
    allows remote authenticated users to cause a denial of service (mysqld crash) via a SELECT command with an
    UpdateXML command containing XML with a large number of unique, nested elements. (CVE-2012-5614)

  - Unspecified vulnerability in Oracle MySQL 5.1.67 and earlier, 5.5.29 and earlier, and 5.6.10 and earlier
    allows remote authenticated users to affect availability via unknown vectors related to Server Locking.
    (CVE-2013-1506)

  - Unspecified vulnerability in Oracle MySQL 5.5.29 and earlier allows remote authenticated users to affect
    availability via unknown vectors related to Data Manipulation Language. (CVE-2013-1512)

  - Unspecified vulnerability in Oracle MySQL 5.1.67 and earlier and 5.5.29 and earlier allows remote
    authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to
    Server Locking. (CVE-2013-1521)

  - Unspecified vulnerability in Oracle MySQL 5.5.29 and earlier and 5.6.10 and earlier allows remote
    authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to
    Server Optimizer. (CVE-2013-1523)

  - Unspecified vulnerability in Oracle MySQL 5.5.29 and earlier allows remote authenticated users to affect
    availability via unknown vectors related to Server Replication. (CVE-2013-1526)

  - Unspecified vulnerability in Oracle MySQL 5.1.67 and earlier and 5.5.29 and earlier allows remote
    authenticated users to affect confidentiality, integrity, and availability via unknown vectors.
    (CVE-2013-1552)

  - Unspecified vulnerability in Oracle MySQL 5.1.67 and earlier, and 5.5.29 and earlier, allows remote
    authenticated users to affect availability via unknown vectors related to Server Partition.
    (CVE-2013-1555)

  - Unspecified vulnerability in Oracle MySQL 5.1.67 and earlier, 5.5.29 and earlier, and 5.6.10 and earlier
    allows remote authenticated users to affect confidentiality, integrity, and availability via unknown
    vectors related to Information Schema. (CVE-2013-2378)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://mariadb.com/kb/en/mariadb-10-0-2-release-notes");
  script_set_attribute(attribute:"solution", value:
"Upgrade to MariaDB version 10.0.2 or later.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-2378");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2012/12/03");
  script_set_attribute(attribute:"patch_publication_date", value:"2013/04/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/11/18");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:mariadb:mariadb");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Databases");

  script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("mysql_version.nasl", "mysql_login.nasl", "mariadb_nix_installed.nbin", "mariadb_win_installed.nbin");
  script_require_keys("installed_sw/MariaDB");

  exit(0);
}

include('vcf.inc');

var app_info = vcf::combined_get_app_info(app:'MariaDB');

if (!(app_info.local) && report_paranoia < 2)
  audit(AUDIT_POTENTIAL_VULN, 'MariaDB');

vcf::check_all_backporting(app_info:app_info);

var constraints = [
  { 'min_version' : '10.0', 'fixed_version' : '10.0.2' }
];
vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
VendorProductVersionCPE
mariadbmariadbcpe:/a:mariadb:mariadb

Related

nessus 13
openvas 21
amazon 2
veracode 11
ubuntu 2
centos 1
oraclelinux 1
redhat 1
packetstorm 1
cve 9
mariadbunix 9
cvelist 9
prion 9
nvd 9
ubuntucve 9
thn 1
securityvulns 2
threatpost 1
gentoo 1
oracle 1
nessus
nessus
MariaDB 5.5 < 5.5.30 Multiple Vulnerabilities
2013-03-29 00:00:00
CentOS 6 : mysql (CESA-2013:0772)
2013-04-30 00:00:00
MySQL 5.5 < 5.5.31 Multiple Vulnerabilities
2013-04-22 00:00:00
openvas
openvas
Oracle MySQL Server <= 5.1.67 / 5.5 <= 5.5.29 Security Update (cpuapr2013) - Windows
2021-02-09 00:00:00
Oracle MySQL Server <= 5.1.67 / 5.5 <= 5.5.29 Security Update (cpuapr2013) - Linux
2013-04-22 00:00:00
Oracle MySQL Server <= 5.1.67 / 5.5 <= 5.5.29 / 5.6 <= 5.6.10 Security Update (cpuapr2013) - Linux
2013-04-22 00:00:00
amazon
amazon
Important: mysql51
2013-04-25 20:40:00
Important: mysql55
2013-04-25 20:40:00
veracode
veracode
Improper Access Control
2019-05-02 04:44:48
Improper Access Control
2019-05-02 04:44:49
Authentication Bypass
2019-05-02 04:44:50
ubuntu
ubuntu
MySQL vulnerabilities
2013-04-25 00:00:00
MySQL vulnerabilities
2013-04-25 00:00:00
centos
centos
mysql security update
2013-04-25 20:16:01
oraclelinux
oraclelinux
mysql security update
2013-04-25 00:00:00
redhat
redhat
(RHSA-2013:0772) Important: mysql security update
2013-04-25 00:00:00
packetstorm
packetstorm
Oracle MySQL 5.5.19-log Denial Of Service
2012-12-03 00:00:00
cve
cve
CVE-2012-5614
2012-12-03 12:49:43
CVE-2013-1506
2013-04-17 12:14:51
CVE-2013-1512
2013-04-17 12:14:52
mariadbunix
mariadbunix
CVE-2012-5614
2012-12-03 12:49:00
CVE-2013-1506
2013-04-17 12:14:00
CVE-2013-1512
2013-04-17 12:14:00
cvelist
cvelist
CVE-2012-5614
2012-12-03 11:00:00
CVE-2013-1506
2013-04-17 05:04:00
CVE-2013-1512
2013-04-17 05:04:00
prion
prion
Design/Logic Flaw
2013-04-17 12:14:00
Command injection
2012-12-03 12:49:00
Design/Logic Flaw
2013-04-17 17:55:00
nvd
nvd
CVE-2012-5614
2012-12-03 12:49:43
CVE-2013-1506
2013-04-17 12:14:51
CVE-2013-2378
2013-04-17 17:55:06
ubuntucve
ubuntucve
CVE-2013-1506
2013-04-17 00:00:00
CVE-2012-5614
2012-12-03 00:00:00
CVE-2013-1512
2013-04-17 00:00:00
thn
thn
Multiple MySQL database Zero-day vulnerabilities published
2012-12-03 13:54:00
securityvulns
securityvulns
MySQL multiple security vulnerabilities
2012-12-07 00:00:00
Oracle / Sun / MySQL / PeopleSoft multiple applications security vulnerabilities
2013-05-04 00:00:00
threatpost
threatpost
Experts Downplay MySQL Database Zero-Days
2012-12-03 19:31:06
gentoo
gentoo
MySQL: Multiple vulnerabilities
2013-08-29 00:00:00
oracle
oracle
Oracle Critical Patch Update - April 2013
2013-04-16 00:00:00

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

5.5 Medium

AI Score

Confidence

High

0.032 Low

EPSS

Percentile

91.2%

JSON
Related for MARIADB_10_0_2.NASL
nessus13openvas21amazon2veracode11ubuntu2centos1oraclelinux1redhat1packetstorm1cve9mariadbunix9cvelist9prion9nvd9ubuntucve9thn1securityvulns2threatpost1gentoo1oracle1