CVE-2023-40354

Published: Aug 14, 2023Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

An issue was discovered in MariaDB MaxScale before 23.02.3. A user enters an encrypted password on a "maxctrl create service" command line, but this password is then stored in cleartext in the resulting .cnf file under /var/lib/maxscale/maxscale.cnf.d. The fixed versions are 2.5.28, 6.4.9, 22.08.8, and 23.02.3.

Affected (4)

Products: Mariadb: Maxscale

1 product

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Mariadb Maxscale	Before 2.5.28
Mariadb Maxscale	From 22.08 to 22.08.8
Mariadb Maxscale	From 23.02 to 23.02.3
Mariadb Maxscale	From 6.0.0 to 6.4.9

Related CWEs

Cleartext Storage of Sensitive Information

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

References (2)

https://jira.mariadb.org/browse/MXS-4681

Source: cve@mitre.org

Issue TrackingVendor Advisory

https://jira.mariadb.org/browse/MXS-4681

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingVendor Advisory

Timeline

No history available yet.