CVE-2020-7221 - OpenCVE

mysql_install_db in MariaDB 10.4.7 through 10.4.11 allows privilege escalation from the mysql user account to root because chown and chmod are performed unsafely, as demonstrated by a symlink attack on a chmod 04755 of auth_pam_tool_dir/auth_pam_tool. NOTE: this does not affect the Oracle MySQL product, which implements mysql_install_db differently.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:L/AC:L/Au:N/C:C/I:C/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mariadb	Mariadb

Configuration 1 [-]

cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://bugzilla.suse.com/show_bug.cgi?id=1160868
https://github.com/MariaDB/server/commit/9d18b6246755472c8324bf3e20e234e08ac45618
https://nvd.nist.gov/vuln/detail/CVE-2020-7221
https://seclists.org/oss-sec/2020/q1/55
https://www.cve.org/CVERecord?id=CVE-2020-7221

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2020-02-04T16:57:00

Updated: 2024-08-04T09:25:48.582Z

Reserved: 2020-01-17T00:00:00

Link: CVE-2020-7221

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-02-04T17:15:13.233

Modified: 2021-07-21T11:39:23.747

Link: CVE-2020-7221

Redhat

Severity : Moderate

Publid Date: 2020-02-04T00:00:00Z

Links: CVE-2020-7221 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2020-01-28T00:00:00", "descriptions": [{"lang": "en", "value": "mysql_install_db in MariaDB 10.4.7 through 10.4.11 allows privilege escalation from the mysql user account to root because chown and chmod are performed unsafely, as demonstrated by a symlink attack on a chmod 04755 of auth_pam_tool_dir/auth_pam_tool. NOTE: this does not affect the Oracle MySQL product, which implements mysql_install_db differently."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-02-04T16:57:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://seclists.org/oss-sec/2020/q1/55"}, {"tags": ["x_refsource_MISC"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1160868"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/MariaDB/server/commit/9d18b6246755472c8324bf3e20e234e08ac45618"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-7221", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "mysql_install_db in MariaDB 10.4.7 through 10.4.11 allows privilege escalation from the mysql user account to root because chown and chmod are performed unsafely, as demonstrated by a symlink attack on a chmod 04755 of auth_pam_tool_dir/auth_pam_tool. NOTE: this does not affect the Oracle MySQL product, which implements mysql_install_db differently."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://seclists.org/oss-sec/2020/q1/55", "refsource": "MISC", "url": "https://seclists.org/oss-sec/2020/q1/55"}, {"name": "https://bugzilla.suse.com/show_bug.cgi?id=1160868", "refsource": "MISC", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1160868"}, {"name": "https://github.com/MariaDB/server/commit/9d18b6246755472c8324bf3e20e234e08ac45618", "refsource": "CONFIRM", "url": "https://github.com/MariaDB/server/commit/9d18b6246755472c8324bf3e20e234e08ac45618"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T09:25:48.582Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://seclists.org/oss-sec/2020/q1/55"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1160868"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/MariaDB/server/commit/9d18b6246755472c8324bf3e20e234e08ac45618"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-7221", "datePublished": "2020-02-04T16:57:00", "dateReserved": "2020-01-17T00:00:00", "dateUpdated": "2024-08-04T09:25:48.582Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*", "matchCriteriaId": "58B7E318-FE05-4119-BA77-D315934F7E96", "versionEndIncluding": "10.4.11", "versionStartIncluding": "10.4.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "mysql_install_db in MariaDB 10.4.7 through 10.4.11 allows privilege escalation from the mysql user account to root because chown and chmod are performed unsafely, as demonstrated by a symlink attack on a chmod 04755 of auth_pam_tool_dir/auth_pam_tool. NOTE: this does not affect the Oracle MySQL product, which implements mysql_install_db differently."}, {"lang": "es", "value": "mysql_install_db en MariaDB versiones 10.4.7 hasta 10.4.11, permite una escalada de privilegios de la cuenta de usuario mysql a root porque chown y chmod se realizan de forma no segura, como es demostrado por un ataque de tipo symlink en un chmod 04755 de auth_pam_tool_dir/auth_pam_tool. NOTA: esto no afecta el producto Oracle MySQL, que implementa mysql_install_db de manera diferente."}], "id": "CVE-2020-7221", "lastModified": "2021-07-21T11:39:23.747", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.2, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-02-04T17:15:13.233", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1160868"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/MariaDB/server/commit/9d18b6246755472c8324bf3e20e234e08ac45618"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "url": "https://seclists.org/oss-sec/2020/q1/55"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-59"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "mariadb: mysql_install_db allows privilege escalation due to unsafe chown and chmod operations", "id": "1802786", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1802786"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-267", "details": ["mysql_install_db in MariaDB 10.4.7 through 10.4.11 allows privilege escalation from the mysql user account to root because chown and chmod are performed unsafely, as demonstrated by a symlink attack on a chmod 04755 of auth_pam_tool_dir/auth_pam_tool. NOTE: this does not affect the Oracle MySQL product, which implements mysql_install_db differently.", "A privilege escalation vulnerability was found in MariaDB, in the way it handled a `setuid` program during the installation process. A local MySQL user could abuse this flaw to escalate their privileges on the system, by gaining root privileges once the bash script `mysql_install_db.sh` is executed."], "name": "CVE-2020-7221", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "mariadb", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "mariadb", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Not affected", "package_name": "mariadb", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-mariadb102", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-mariadb103", "product_name": "Red Hat Software Collections"}], "public_date": "2020-02-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-7221\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-7221"], "statement": "This flaw did not affect the versions of MariaDB as shipped with Red Hat Enterprise Linux 7, and 8 as they did not include the vulnerable code, which was introduced in a newer version of the package. The same is true for the versions of MariaDB as shipped with Red Hat Software Collections 3.", "threat_severity": "Moderate", "upstream_fix": "mariadb 10.5.1, mariadb 10.4.12"}