CVE-2024-27766
Public on 2024-10-17
Modified on 2025-04-08
Description
An issue in MariaDB v.11.1 allows a remote attacker to execute arbitrary code via the lib_mysqludf_sys.so function. NOTE: this is disputed by the MariaDB Foundation because no privilege boundary is crossed.
It is not clear that this is a legitimate issue affecting MariaDB. The MariaDB Foundation disputes this CVE because it argues that no privilege boundary is crossed. Additionally, the impact of fixing this issue would greatly affect workflows that use User Defined Functions (UDF). Considering the tradeoff between the stability of HAQM Linux and the potential impact of CVE-2024-27766, a fix will not be provided for mariadb at this time.
It is not clear that this is a legitimate issue affecting MariaDB. The MariaDB Foundation disputes this CVE because it argues that no privilege boundary is crossed. Additionally, the impact of fixing this issue would greatly affect workflows that use User Defined Functions (UDF). Considering the tradeoff between the stability of HAQM Linux and the potential impact of CVE-2024-27766, a fix will not be provided for mariadb at this time.
Severity
Medium
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| HAQM Linux 2 - Core | mariadb | No Fix Planned | ||
| HAQM Linux 2 - Mariadb10.5 Extra | mariadb | No Fix Planned | ||
| HAQM Linux 2023 | mariadb105 | No Fix Planned |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| HAQM Linux | CVSSv3 | 4.7 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L |
| NVD | CVSSv3 | 5.7 | CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L |