Bitnami package
mariadb
pkg:bitnami/mariadb
Vulnerabilities (103)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-32710 | Hig | 8.5 | >= 11.4.1, < 11.4.10 | 11.4.10 | Mar 20, 2026 | MariaDB server is a community developed fork of MySQL server. An authenticated user can crash MariaDB versions 11.4 before 11.4.10 and 11.8 before 11.8.6 via a bug in JSON_SCHEMA_VALID() function. Under certain conditions it might be possible to turn the crash into a remote code | |
| CVE-2026-3494 | — | < 10.6.25 | 10.6.25 | Mar 3, 2026 | In MariaDB server version through 11.8.5, when server audit plugin is enabled with server_audit_events variable configured with QUERY_DCL, QUERY_DDL, or QUERY_DML filtering, if an authenticated database user invokes a SQL statement prefixed with double-hyphen (—) or hash (#) styl | ||
| CVE-2025-30722 | — | < 10.5.29 | 10.5.29 | Apr 15, 2025 | Vulnerability in the MySQL Client product of Oracle MySQL (component: Client: mysqldump). Supported versions that are affected are 8.0.0-8.0.41, 8.4.0-8.4.4 and 9.0.0-9.2.0. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple proto | ||
| CVE-2025-30693 | — | < 10.5.29 | 10.5.29 | Apr 15, 2025 | Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.0-8.0.41, 8.4.0-8.4.4 and 9.0.0-9.2.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to comp | ||
| CVE-2023-52971 | Med | 4.9 | >= 10.10.0, < 10.11.12 | 10.11.12 | Mar 8, 2025 | MariaDB Server 10.10 through 10.11.* and 11.0 through 11.4.* crashes in JOIN::fix_all_splittings_in_plan. | |
| CVE-2023-52970 | Med | 4.9 | < 10.5.29 | 10.5.29 | Mar 8, 2025 | MariaDB Server 10.4 through 10.5.*, 10.6 through 10.6.*, 10.7 through 10.11.*, 11.0 through 11.0.*, and 11.1 through 11.4.* crashes in Item_direct_view_ref::derived_field_transformer_for_where. | |
| CVE-2023-52969 | Med | 4.9 | < 10.5.29 | 10.5.29 | Mar 8, 2025 | MariaDB Server 10.4 through 10.5.*, 10.6 through 10.6.*, 10.7 through 10.11.*, and 11.0 through 11.0.* can sometimes crash with an empty backtrace log. This may be related to make_aggr_tables_info and optimize_stage2. | |
| CVE-2023-52968 | Med | 4.9 | >= 10.4.0, < 10.4.33 | 10.4.33 | Mar 8, 2025 | MariaDB Server 10.4 before 10.4.33, 10.5 before 10.5.24, 10.6 before 10.6.17, 10.7 through 10.11 before 10.11.7, 11.0 before 11.0.5, and 11.1 before 11.1.4 calls fix_fields_if_needed under mysql_derived_prepare when derived is not yet prepared, leading to a find_field_in_table cr | |
| CVE-2025-21490 | — | < 10.5.28 | 10.5.28 | Jan 21, 2025 | Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple proto | ||
| CVE-2024-27766 | — | >= 11.1.0, < 11.1.5 | 11.1.5 | Oct 17, 2024 | An issue in MariaDB v.11.1 allows a remote attacker to execute arbitrary code via the lib_mysqludf_sys.so function. NOTE: this is disputed by the MariaDB Foundation because no privilege boundary is crossed. | ||
| CVE-2023-39593 | — | >= 10.5.0, <= 10.5.0 | — | Oct 17, 2024 | Insecure permissions in the sys_exec function of MariaDB v10.5 allows authenticated attackers to execute arbitrary commands with elevated privileges. NOTE: this is disputed by the MariaDB Foundation because no privilege boundary is crossed. | ||
| CVE-2023-26785 | — | >= 10.5.0, <= 10.5.0 | — | Oct 17, 2024 | MariaDB v10.5 was discovered to contain a remote code execution (RCE) vulnerability via UDF Code in a Shared Object File, followed by a "create function" statement. NOTE: this is disputed by the MariaDB Foundation because no privilege boundary is crossed. | ||
| CVE-2024-21096 | — | < 10.5.25 | 10.5.25 | Apr 16, 2024 | Vulnerability in the MySQL Server product of Oracle MySQL (component: Client: mysqldump). Supported versions that are affected are 8.0.36 and prior and 8.3.0 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MyS | ||
| CVE-2023-22084 | — | < 10.4.32 | 10.4.32 | Oct 17, 2023 | Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.43 and prior, 8.0.34 and prior and 8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to c | ||
| CVE-2023-5157 | — | < 10.3.36 | 10.3.36 | Sep 26, 2023 | A vulnerability was found in MariaDB. An OpenVAS port scan on ports 3306 and 4567 allows a malicious remote client to cause a denial of service. | ||
| CVE-2022-47015 | — | >= 10.3.0, < 10.3.39 | 10.3.39 | Jan 20, 2023 | MariaDB Server before 10.3.34 thru 10.9.3 is vulnerable to Denial of Service. It is possible for function spider_db_mbase::print_warnings to dereference a null pointer. | ||
| CVE-2022-21595 | — | < 10.2.42 | 10.2.42 | Oct 18, 2022 | Vulnerability in the MySQL Server product of Oracle MySQL (component: C API). Supported versions that are affected are 5.7.36 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromis | ||
| CVE-2022-38791 | — | >= 10.3.0, < 10.3.36 | 10.3.36 | Aug 27, 2022 | In MariaDB before 10.9.2, compress_write in extra/mariabackup/ds_compress.cc does not release data_mutex upon a stream write failure, which allows local users to trigger a deadlock. | ||
| CVE-2022-32088 | — | >= 10.2.0, < 10.2.44 | 10.2.44 | Jul 1, 2022 | MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component Exec_time_tracker::get_loops/Filesort_tracker::report_use/filesort. | ||
| CVE-2022-32087 | — | >= 10.3.0, < 10.3.35 | 10.3.35 | Jul 1, 2022 | MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component Item_args::walk_args. |
- affected >= 11.4.1, < 11.4.10fixed 11.4.10
MariaDB server is a community developed fork of MySQL server. An authenticated user can crash MariaDB versions 11.4 before 11.4.10 and 11.8 before 11.8.6 via a bug in JSON_SCHEMA_VALID() function. Under certain conditions it might be possible to turn the crash into a remote code
- CVE-2026-3494Mar 3, 2026affected < 10.6.25fixed 10.6.25
In MariaDB server version through 11.8.5, when server audit plugin is enabled with server_audit_events variable configured with QUERY_DCL, QUERY_DDL, or QUERY_DML filtering, if an authenticated database user invokes a SQL statement prefixed with double-hyphen (—) or hash (#) styl
- CVE-2025-30722Apr 15, 2025affected < 10.5.29fixed 10.5.29
Vulnerability in the MySQL Client product of Oracle MySQL (component: Client: mysqldump). Supported versions that are affected are 8.0.0-8.0.41, 8.4.0-8.4.4 and 9.0.0-9.2.0. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple proto
- CVE-2025-30693Apr 15, 2025affected < 10.5.29fixed 10.5.29
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.0-8.0.41, 8.4.0-8.4.4 and 9.0.0-9.2.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to comp
- affected >= 10.10.0, < 10.11.12fixed 10.11.12
MariaDB Server 10.10 through 10.11.* and 11.0 through 11.4.* crashes in JOIN::fix_all_splittings_in_plan.
- affected < 10.5.29fixed 10.5.29
MariaDB Server 10.4 through 10.5.*, 10.6 through 10.6.*, 10.7 through 10.11.*, 11.0 through 11.0.*, and 11.1 through 11.4.* crashes in Item_direct_view_ref::derived_field_transformer_for_where.
- affected < 10.5.29fixed 10.5.29
MariaDB Server 10.4 through 10.5.*, 10.6 through 10.6.*, 10.7 through 10.11.*, and 11.0 through 11.0.* can sometimes crash with an empty backtrace log. This may be related to make_aggr_tables_info and optimize_stage2.
- affected >= 10.4.0, < 10.4.33fixed 10.4.33
MariaDB Server 10.4 before 10.4.33, 10.5 before 10.5.24, 10.6 before 10.6.17, 10.7 through 10.11 before 10.11.7, 11.0 before 11.0.5, and 11.1 before 11.1.4 calls fix_fields_if_needed under mysql_derived_prepare when derived is not yet prepared, leading to a find_field_in_table cr
- CVE-2025-21490Jan 21, 2025affected < 10.5.28fixed 10.5.28
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple proto
- CVE-2024-27766Oct 17, 2024affected >= 11.1.0, < 11.1.5fixed 11.1.5
An issue in MariaDB v.11.1 allows a remote attacker to execute arbitrary code via the lib_mysqludf_sys.so function. NOTE: this is disputed by the MariaDB Foundation because no privilege boundary is crossed.
- CVE-2023-39593Oct 17, 2024affected >= 10.5.0, <= 10.5.0
Insecure permissions in the sys_exec function of MariaDB v10.5 allows authenticated attackers to execute arbitrary commands with elevated privileges. NOTE: this is disputed by the MariaDB Foundation because no privilege boundary is crossed.
- CVE-2023-26785Oct 17, 2024affected >= 10.5.0, <= 10.5.0
MariaDB v10.5 was discovered to contain a remote code execution (RCE) vulnerability via UDF Code in a Shared Object File, followed by a "create function" statement. NOTE: this is disputed by the MariaDB Foundation because no privilege boundary is crossed.
- CVE-2024-21096Apr 16, 2024affected < 10.5.25fixed 10.5.25
Vulnerability in the MySQL Server product of Oracle MySQL (component: Client: mysqldump). Supported versions that are affected are 8.0.36 and prior and 8.3.0 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MyS
- CVE-2023-22084Oct 17, 2023affected < 10.4.32fixed 10.4.32
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.43 and prior, 8.0.34 and prior and 8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to c
- CVE-2023-5157Sep 26, 2023affected < 10.3.36fixed 10.3.36
A vulnerability was found in MariaDB. An OpenVAS port scan on ports 3306 and 4567 allows a malicious remote client to cause a denial of service.
- CVE-2022-47015Jan 20, 2023affected >= 10.3.0, < 10.3.39fixed 10.3.39
MariaDB Server before 10.3.34 thru 10.9.3 is vulnerable to Denial of Service. It is possible for function spider_db_mbase::print_warnings to dereference a null pointer.
- CVE-2022-21595Oct 18, 2022affected < 10.2.42fixed 10.2.42
Vulnerability in the MySQL Server product of Oracle MySQL (component: C API). Supported versions that are affected are 5.7.36 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromis
- CVE-2022-38791Aug 27, 2022affected >= 10.3.0, < 10.3.36fixed 10.3.36
In MariaDB before 10.9.2, compress_write in extra/mariabackup/ds_compress.cc does not release data_mutex upon a stream write failure, which allows local users to trigger a deadlock.
- CVE-2022-32088Jul 1, 2022affected >= 10.2.0, < 10.2.44fixed 10.2.44
MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component Exec_time_tracker::get_loops/Filesort_tracker::report_use/filesort.
- CVE-2022-32087Jul 1, 2022affected >= 10.3.0, < 10.3.35fixed 10.3.35
MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component Item_args::walk_args.
Page 1 of 6