King Cope

Name of the Vulnerable Software and Affected Versions: MariaDB version 11.1 Description: The issue in MariaDB is related to incorrect management of code generation in the lib mysqludf sys.so library, which can be exploited by an attacker to elevate privileges and execute arbitrary code. A remote attacker can execute arbitrary code via the `lib mysqludf sys.so` function. Note that this is disputed by the MariaDB Foundation because no privilege boundary is crossed. Recommendations: For MariaDB version 11.1, consider disabling the use of the `lib mysqludf sys.so` function as a temporary workaround until a patch is available. Restrict access to the `lib mysqludf sys.so` library to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MariaDB version 10.5 **Description** Insecure permissions in the `sys exec` function allow authenticated attackers to execute arbitrary commands with elevated privileges. This issue is disputed by the MariaDB Foundation because no privilege boundary is crossed. **Recommendations** For MariaDB version 10.5, consider disabling the `sys exec` function as a temporary workaround until a patch is available. Restrict access to the `sys exec` function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MariaDB version 10.5 **Description** The issue is related to a remote code execution vulnerability via UDF Code in a Shared Object File, followed by a "create function" statement. This vulnerability is associated with insufficient input validation, which may allow a remote attacker to execute arbitrary code. Note that the MariaDB Foundation disputes this issue, stating that no privilege boundary is crossed. **Recommendations** For MariaDB version 10.5, update to the latest release to mitigate the risks associated with this issue. As a temporary workaround, consider restricting the use of user-defined functions (UDFs) until a patch is available. Avoid using the `create function` statement with untrusted input to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.