CVE-2021-27928

Name of the Vulnerable Software and Affected Versions MariaDB versions 10.2 through 10.2.37 MariaDB versions 10.3 through 10.3.28 MariaDB versions 10.4 through 10.4.18 MariaDB versions 10.5 through 10.5.9 Percona Server through 2021-03-03 wsrep patch through 2021-03-03 for MySQL

Description The issue is related to a remote code execution problem in MariaDB, where an untrusted search path leads to eval injection. This allows a database SUPER user to execute OS commands after modifying wsrep provider and wsrep notify cmd. The vulnerability is due to the lack of input validation.

Recommendations For MariaDB versions 10.2 through 10.2.37, update to version 10.2.37 or later. For MariaDB versions 10.3 through 10.3.28, update to version 10.3.28 or later. For MariaDB versions 10.4 through 10.4.18, update to version 10.4.18 or later. For MariaDB versions 10.5 through 10.5.9, update to version 10.5.9 or later. For Percona Server through 2021-03-03, update to a version later than 2021-03-03. For wsrep patch through 2021-03-03 for MySQL, update to a version later than 2021-03-03. As a temporary workaround, consider restricting access to the wsrep provider and wsrep notify cmd variables to minimize the risk of exploitation.