Impact
MariaDB allows the SELECT … INTO OUTFILE or SELECT … INTO DUMPFILE statements to write a file when the FROM clause contains only subqueries, without verifying that the caller has the FILE privilege. The likely attack vector is an attacker who already has SELECT rights issuing such a statement with a crafted filename. Based on the description, it is inferred that the attacker can create or overwrite files in directories writable by the database server process, potentially leading to persistence or privilege escalation. This flaw violates privilege checks (CWE-266) and access control (CWE-863).
Affected Systems
MariaDB server versions 10.6.1 through 10.6.25, 10.11.1 through 10.11.16, 11.4.1 through 11.4.10, 11.8.1 through 11.8.6, and 12.3.1 are affected. The issue was fixed in 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2. The affected product is MariaDB server, a community-developed fork of MySQL.
Risk and Exploitability
The CVSS score of 5 indicates moderate severity. The EPSS score of less than 1% means that the probability of exploitation is very low, and there are no known public exploit examples. The vulnerability is not listed in CISA KEV. An attacker would need SELECT privileges; there is no remote code execution vector. However, the ability to write arbitrary files could be leveraged for persistence or privilege escalation if writable directories are present. Based on the description, it is inferred that the attacker would need the database process to have write access to the target directory, which is an environmental prerequisite that may reduce the exploitability.
OpenCVE Enrichment