Details
-
Bug
-
Status: Closed (View Workflow)
-
Blocker
-
Resolution: Fixed
-
10.1(EOL), 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5
-
None
Description
during SST a joiner sends an sst method name to the donor. Donor then appends it to the "wsrep_sst_" string to get the name of the sst script to use, e.g. wsrep_sst_rsync. There is no validation or filtering here, so if the malicious joiner sends, for example, "rsync `rm -rf /`" the donor will execute that too.
Attachments
Issue Links
- relates to
-
-
- Closed
-
Activity
| Field | Original Value | New Value |
|---|---|---|
| Priority | Major [ 3 ] | Blocker [ 1 ] |
| Fix Version/s | 10.5.6 [ 24508 ] | |
| Fix Version/s | 10.4.15 [ 24507 ] | |
| Fix Version/s | 10.3.25 [ 24506 ] | |
| Fix Version/s | 10.2.34 [ 24505 ] | |
| Fix Version/s | 10.1.47 [ 24510 ] | |
| Fix Version/s | 10.2 [ 14601 ] | |
| Fix Version/s | 10.1 [ 16100 ] | |
| Fix Version/s | 10.3 [ 22126 ] | |
| Fix Version/s | 10.4 [ 22408 ] | |
| Fix Version/s | 10.5 [ 23123 ] |
| Resolution | Fixed [ 1 ] | |
| Status | Open [ 1 ] | Closed [ 6 ] |
| Comment | [ How to reproduce the problem ? ] |
| Comment | [ I will be really interested because i have one problem of SST with one donor that I cannot explain and I don't understand why yet. ] |
| Description | during SST a joiner sends an sst method name to the donor. Donor then appends it to the "wsrep_sst_" string to get the name of the sst script to use, e.g. wsrep_sst_rsync. There is no validation or filtering here, so if the malicious joiner sends, for example, "rsync `rm -rf /`" the donor will execute that too. |
| Workflow | MariaDB v3 [ 114181 ] | MariaDB v4 [ 158435 ] |
| Link |
This issue relates to |
CVE-2020-15180