CVE-2023-40354
First published: Mon Aug 14 2023(Updated: )
An issue was discovered in MariaDB MaxScale before 23.02.3. A user enters an encrypted password on a "maxctrl create service" command line, but this password is then stored in cleartext in the resulting .cnf file under /var/lib/maxscale/maxscale.cnf.d. The fixed versions are 2.5.28, 6.4.9, 22.08.8, and 23.02.3.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| MariaDB MaxScale | <2.5.28 | |
| MariaDB MaxScale | >=6.0.0<6.4.9 | |
| MariaDB MaxScale | >=22.08<22.08.8 | |
| MariaDB MaxScale | >=23.02<23.02.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2023-40354.
What is the severity rating of CVE-2023-40354?
CVE-2023-40354 has a severity rating of 6.5 (medium).
What is the affected software of CVE-2023-40354?
The affected software of CVE-2023-40354 is MariaDB MaxScale versions 2.5.28, 6.4.9, 22.08.8, and 23.02.3.
How does this vulnerability occur?
This vulnerability occurs when a user enters an encrypted password on a "maxctrl create service" command line, but the password is stored in cleartext in the resulting .cnf file under /var/lib/maxscale/maxscale.cnf.d.
What is the fix for CVE-2023-40354?
The fix for CVE-2023-40354 is to update to the fixed versions of MariaDB MaxScale (2.5.28, 6.4.9, 22.08.8, or 23.02.3).
- collector/nvd-api
- collector/nvd-index
- agent/weakness
- agent/references
- agent/severity
- agent/author
- agent/type
- agent/event
- agent/description
- agent/first-publish-date
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/mariadb
- canonical/mariadb maxscale
- version/mariadb maxscale/6.0.0
- version/mariadb maxscale/22.08
- version/mariadb maxscale/23.02