CVE-2025-14758
Replication Security Misconfiguration in MariaDB YAOOK Operator Enables Data Exposure
Publication date: 2025-12-16
Last updated on: 2025-12-16
Assigner: GitLab Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mariadb | mariadb | 3.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1188 | The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the MariaDB component of the YAOOK Operator infra-operator involves incorrect configuration of replication security, specifically for IPv6-enabled clusters. The infra-operator sets the replication provider options via command line arguments in a way that overrides the intended configuration from the ConfigMap, resulting in TLS encryption being disabled for replication traffic. This means replication data, including potentially sensitive database contents, is transmitted unencrypted and can be intercepted by an on-path attacker. [1]
How can this vulnerability impact me? :
The vulnerability allows an on-path attacker to read the contents of the database replication traffic, potentially exposing sensitive information such as credentials. Since the replication traffic is not encrypted due to disabled TLS, attackers can intercept and access confidential data during replication between MariaDB nodes in IPv6-enabled clusters. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the MariaDB replication traffic is encrypted with TLS. Specifically, verify if the `wsrep_provider_socket_ssl` option is set to OFF, which disables encryption for replication traffic. You can inspect the MariaDB configuration by examining the ConfigMap at `/opt/bitnami/mariadb/conf/my.cnf` and checking the effective `wsrep_provider_options`. Additionally, check the command line arguments of the infra-operator pods to see if `--wsrep-provider-options` is set, which may override the ConfigMap settings. Commands to help detect this include: 1) `kubectl get pods -n <namespace> -o yaml | grep wsrep-provider-options` to find if the argument is set; 2) `kubectl exec -it <mariadb-pod> -- cat /opt/bitnami/mariadb/conf/my.cnf | grep wsrep_provider_socket_ssl` to check the config file; 3) Network traffic capture tools (e.g., tcpdump) to verify if replication traffic is unencrypted over IPv6. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, modify the infra-operator deployment to ensure that the `wsrep_provider_options` are correctly rendered into the ConfigMap rather than being overridden by command line arguments. This includes applying logic to differentiate between IPv4 and IPv6 clusters so that TLS encryption is enabled for replication traffic. If possible, apply the proposed patch `0001-Move-IPv6-wsrep_provider_options-to-configmap.patch` to fix the issue. Until a fix is applied, avoid using IPv6-enabled clusters for MariaDB replication or monitor and restrict network access to replication traffic to prevent on-path attackers from intercepting data. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an on-path attacker to read database contents, potentially including credentials, due to lack of TLS encryption in MariaDB replication traffic. This exposure of sensitive data could lead to non-compliance with data protection standards and regulations such as GDPR and HIPAA, which require protection of personal and sensitive information during transmission. However, the exact impact on compliance depends on the deployment environment and whether IPv6-enabled clusters are used without the recommended fixes. [1]