Executive Summary

This vulnerability in MariaDB server occurs because the FILE privilege was not properly checked when executing SELECT ... INTO OUTFILE or SELECT ... INTO DUMPFILE statements if the FROM clause contained only subqueries (derived tables).

As a result, users without the FILE privilege could write files to the server's filesystem, which should normally be restricted.

This issue affected multiple MariaDB versions and was patched in later releases.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability allows an attacker with low privileges and network access to write files to the server's filesystem without proper authorization.

This could lead to potential data corruption, unauthorized file creation, or other impacts related to unauthorized file writes.

However, the vulnerability does not directly impact confidentiality or integrity of data, but availability could be affected.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to execute SELECT ... INTO OUTFILE or SELECT ... INTO DUMPFILE statements where the FROM clause contains only subqueries or derived tables, and observing if the command succeeds without the FILE privilege.

A test query similar to the one described in the bug report would be to run a SELECT ... INTO OUTFILE statement from a derived table and check if it succeeds or returns an access denied error (ER_ACCESS_DENIED_ERROR).

• Example command to test (run as a user without FILE privilege): SELECT * INTO OUTFILE '/tmp/testfile' FROM (SELECT 1) AS derived_table;

If the command succeeds without proper FILE privilege, the system is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading MariaDB to a patched version where this vulnerability is fixed. The patched versions are 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2.

Additionally, ensure that filesystem permissions and the --secure-file-priv option are properly configured to restrict file writing operations, which can help mitigate the risk even if the vulnerability exists.

Review and restrict user privileges, especially the FILE privilege, to minimize potential exploitation.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows users without the FILE privilege to write files to the server's filesystem by exploiting improper authorization checks in SELECT ... INTO OUTFILE or SELECT ... INTO DUMPFILE statements with subqueries. Such unauthorized file writes could potentially lead to data leakage or unauthorized data manipulation.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, the ability for unauthorized users to write files on the server could impact data security and integrity requirements mandated by these regulations.

Organizations subject to GDPR, HIPAA, or similar regulations should consider this vulnerability a risk to their data protection controls, as it may allow unauthorized data exposure or modification, thereby affecting compliance.

Useful 0 Not Useful 0