A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An untrusted search path leads to eval injection, in which a database SUPER user can execute OS commands after modifying wsrepprovider and wsrepnotify_cmd. NOTE: this does not affect an Oracle product.
{ "vanir_signatures": [ { "id": "CVE-2021-27928-12557ed7", "digest": { "line_hashes": [ "11425847502652849095417483971976726008", "261028279744089143798832603799308744238", "43178024023802145260950392730019310797", "27426614060501693274586081300902699324", "229288027330135542901329756108569736754", "217226131754073329819203145638391009690", "139208019122387927948352969887811226188", "12732217612013947819634176605299937141" ], "threshold": 0.9 }, "target": { "file": "sql/sys_vars.cc" }, "signature_version": "v1", "source": "https://github.com/mariadb/server/commit/ce3a2a688db556d8d077a409fd9bf5cc013d13dd", "deprecated": false, "signature_type": "Line" } ] }