CVE-2023-40354

Name of the Vulnerable Software and Affected Versions MariaDB MaxScale versions prior to 2.5.28 MariaDB MaxScale versions prior to 6.4.9 MariaDB MaxScale versions prior to 22.08.8 MariaDB MaxScale versions prior to 23.02.3

Description An issue was discovered in MariaDB MaxScale where a user enters an encrypted password on a "maxctrl create service" command line, but this password is then stored in cleartext in the resulting .cnf file under /var/lib/maxscale/maxscale.cnf.d. This issue is related to the lack of encryption measures for data in the /var/lib/maxscale/maxscale.cnf.d component of the MariaDB MaxScale database proxy server. Exploitation of this issue may allow a remote attacker to gain unauthorized access to protected information.

Recommendations For versions prior to 2.5.28, update to version 2.5.28 or later. For versions prior to 6.4.9, update to version 6.4.9 or later. For versions prior to 22.08.8, update to version 22.08.8 or later. For versions prior to 23.02.3, update to version 23.02.3 or later. As a temporary workaround, consider restricting access to the /var/lib/maxscale/maxscale.cnf.d directory to minimize the risk of exploitation.