What is the severity of CVE-2020-28912?

CVE-2020-28912 has a medium severity rating because it allows an unprivileged user to intercept sensitive data between local clients and the MariaDB server.

How do I fix CVE-2020-28912?

To fix CVE-2020-28912, upgrade MariaDB to a version later than 10.5.7.

Who is affected by CVE-2020-28912?

CVE-2020-28912 affects installations of MariaDB on Windows that allow local client connections over named pipes.

What is the impact of CVE-2020-28912?

The impact of CVE-2020-28912 includes the possibility of a man-in-the-middle attack, leading to unauthorized access to sensitive data.

Is CVE-2020-28912 related to specific versions of MariaDB?

Yes, CVE-2020-28912 affects MariaDB versions 10.1.48 and earlier, 10.2.35 and earlier, 10.3.26 and earlier, 10.4.16 and earlier, and 10.5.7 and earlier.

Vulnerability/
CVE-2020-28912

high

24/12/2020

4/8/2024

CVE-2020-28912

First published: Thu Dec 24 2020(Updated: )

With MariaDB running on Windows, when local clients connect to the server over named pipes, it's possible for an unprivileged user with an ability to run code on the server machine to intercept the named pipe connection and act as a man-in-the-middle, gaining access to all the data passed between the client and the server, and getting the ability to run SQL commands on behalf of the connected user. This occurs because of an incorrect security descriptor. This affects MariaDB Server before 10.1.48, 10.2.x before 10.2.35, 10.3.x before 10.3.26, 10.4.x before 10.4.16, and 10.5.x before 10.5.7. NOTE: this issue exists because certain details of the MariaDB CVE-2019-2503 fix did not comprehensively address attack variants against MariaDB. This situation is specific to MariaDB, and thus CVE-2020-28912 does NOT apply to other vendors that were originally affected by CVE-2019-2503.

Credit: cve@mitre.org

Affected Software	Affected Version	How to fix
MariaDB Server	<10.1.48
MariaDB Server	>=10.2.0<10.2.35
MariaDB Server	>=10.3.0<10.3.26
MariaDB Server	>=10.4.0<10.4.16
MariaDB Server	>=10.5.0<10.5.7
Microsoft Windows

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2020-28912?
CVE-2020-28912 has a medium severity rating because it allows an unprivileged user to intercept sensitive data between local clients and the MariaDB server.
How do I fix CVE-2020-28912?
To fix CVE-2020-28912, upgrade MariaDB to a version later than 10.5.7.
Who is affected by CVE-2020-28912?
CVE-2020-28912 affects installations of MariaDB on Windows that allow local client connections over named pipes.
What is the impact of CVE-2020-28912?
The impact of CVE-2020-28912 includes the possibility of a man-in-the-middle attack, leading to unauthorized access to sensitive data.
Is CVE-2020-28912 related to specific versions of MariaDB?
Yes, CVE-2020-28912 affects MariaDB versions 10.1.48 and earlier, 10.2.35 and earlier, 10.3.26 and earlier, 10.4.16 and earlier, and 10.5.7 and earlier.

agent/references
agent/type
collector/mitre-cve
source/MITRE
agent/severity
agent/last-modified-date
agent/author
agent/first-publish-date
agent/description
agent/event
agent/source
agent/tags
agent/softwarecombine
collector/nvd-index
agent/software-canonical-lookup-request
vendor/mariadb
canonical/mariadb server
version/mariadb server/10.2.0
version/mariadb server/10.3.0
version/mariadb server/10.4.0
version/mariadb server/10.5.0
vendor/microsoft
canonical/microsoft windows

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.