{"api_version":"1","generated_at":"2026-04-23T05:56:31+00:00","cve":"CVE-2017-15365","urls":{"html":"https://cve.report/CVE-2017-15365","api":"https://cve.report/api/cve/CVE-2017-15365.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2017-15365","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2017-15365"},"summary":{"title":"CVE-2017-15365","description":"sql/event_data_objects.cc in MariaDB before 10.1.30 and 10.2.x before 10.2.10 and Percona XtraDB Cluster before 5.6.37-26.21-3 and 5.7.x before 5.7.19-29.22-3 allows remote authenticated users with SQL access to bypass intended access restrictions and replicate data definition language (DDL) statements to cluster nodes by leveraging incorrect ordering of DDL replication and ACL checking.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2018-01-25 16:29:00","updated_at":"2023-11-07 02:39:00"},"problem_types":["NVD-CWE-noinfo"],"metrics":[],"references":[{"url":"https://www.percona.com/blog/2017/10/30/percona-xtradb-cluster-5-6-37-26-21-3-is-now-available/","name":"https://www.percona.com/blog/2017/10/30/percona-xtradb-cluster-5-6-37-26-21-3-is-now-available/","refsource":"CONFIRM","tags":["Release Notes","Vendor Advisory"],"title":"Percona XtraDB Cluster 5.6.37-26.21-3 is Now Available - Percona Database Performance Blog","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://mariadb.com/kb/en/library/mariadb-10210-release-notes/","name":"https://mariadb.com/kb/en/library/mariadb-10210-release-notes/","refsource":"CONFIRM","tags":["Release Notes","Vendor Advisory"],"title":"MariaDB 10.2.10 Release Notes - MariaDB Knowledge Base","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ELCZV46WIYSJ6VMC65GMNN3A3QDRUJGK/","name":"FEDORA-2018-0d6a80f496","refsource":"FEDORA","tags":["Third Party Advisory"],"title":"[SECURITY] Fedora 26 Update: mariadb-10.1.30-1.fc26 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.debian.org/security/2018/dsa-4341","name":"DSA-4341","refsource":"DEBIAN","tags":[],"title":"Debian -- Security Information -- DSA-4341-1 mariadb-10.1","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/MariaDB/server/commit/0b5a5258abbeaf8a0c3a18c7e753699787fdf46e","name":"https://github.com/MariaDB/server/commit/0b5a5258abbeaf8a0c3a18c7e753699787fdf46e","refsource":"CONFIRM","tags":["Patch","Third Party Advisory"],"title":"MW-416 DDL replication moved after acl checking · MariaDB/server@0b5a525 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ELCZV46WIYSJ6VMC65GMNN3A3QDRUJGK/","name":"FEDORA-2018-0d6a80f496","refsource":"","tags":[],"title":"[SECURITY] Fedora 26 Update: mariadb-10.1.30-1.fc26 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://access.redhat.com/errata/RHSA-2019:1258","name":"RHSA-2019:1258","refsource":"REDHAT","tags":[],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1524234","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1524234","refsource":"CONFIRM","tags":["Issue Tracking","Third Party Advisory"],"title":"1524234 – (CVE-2017-15365) CVE-2017-15365 mariadb: Replication in sql/event_data_objects.cc occurs before ACL checks","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.percona.com/doc/percona-xtradb-cluster/LATEST/release-notes/Percona-XtraDB-Cluster-5.7.19-29.22-3.html","name":"https://www.percona.com/doc/percona-xtradb-cluster/LATEST/release-notes/Percona-XtraDB-Cluster-5.7.19-29.22-3.html","refsource":"CONFIRM","tags":["Release Notes","Vendor Advisory"],"title":"Percona XtraDB Cluster 5.7.19-29.22-3","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://mariadb.com/kb/en/library/mariadb-10130-release-notes/","name":"https://mariadb.com/kb/en/library/mariadb-10130-release-notes/","refsource":"CONFIRM","tags":["Release Notes","Vendor Advisory"],"title":"MariaDB 10.1.30 Release Notes - MariaDB Knowledge Base","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2017-15365","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-15365","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2017","cve_id":"15365","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"26","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"15365","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"26","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"15365","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mariadb","cpe5":"mariadb","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"15365","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mariadb","cpe5":"mariadb","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"15365","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"percona","cpe5":"xtradb_cluster","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"15365","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"percona","cpe5":"xtradb_cluster","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2017-15365","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"sql/event_data_objects.cc in MariaDB before 10.1.30 and 10.2.x before 10.2.10 and Percona XtraDB Cluster before 5.6.37-26.21-3 and 5.7.x before 5.7.19-29.22-3 allows remote authenticated users with SQL access to bypass intended access restrictions and replicate data definition language (DDL) statements to cluster nodes by leveraging incorrect ordering of DDL replication and ACL checking."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"https://github.com/MariaDB/server/commit/0b5a5258abbeaf8a0c3a18c7e753699787fdf46e","refsource":"CONFIRM","url":"https://github.com/MariaDB/server/commit/0b5a5258abbeaf8a0c3a18c7e753699787fdf46e"},{"name":"DSA-4341","refsource":"DEBIAN","url":"https://www.debian.org/security/2018/dsa-4341"},{"name":"https://mariadb.com/kb/en/library/mariadb-10210-release-notes/","refsource":"CONFIRM","url":"https://mariadb.com/kb/en/library/mariadb-10210-release-notes/"},{"name":"https://bugzilla.redhat.com/show_bug.cgi?id=1524234","refsource":"CONFIRM","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1524234"},{"name":"https://www.percona.com/doc/percona-xtradb-cluster/LATEST/release-notes/Percona-XtraDB-Cluster-5.7.19-29.22-3.html","refsource":"CONFIRM","url":"https://www.percona.com/doc/percona-xtradb-cluster/LATEST/release-notes/Percona-XtraDB-Cluster-5.7.19-29.22-3.html"},{"name":"FEDORA-2018-0d6a80f496","refsource":"FEDORA","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ELCZV46WIYSJ6VMC65GMNN3A3QDRUJGK/"},{"name":"https://www.percona.com/blog/2017/10/30/percona-xtradb-cluster-5-6-37-26-21-3-is-now-available/","refsource":"CONFIRM","url":"https://www.percona.com/blog/2017/10/30/percona-xtradb-cluster-5-6-37-26-21-3-is-now-available/"},{"name":"https://mariadb.com/kb/en/library/mariadb-10130-release-notes/","refsource":"CONFIRM","url":"https://mariadb.com/kb/en/library/mariadb-10130-release-notes/"},{"refsource":"REDHAT","name":"RHSA-2019:1258","url":"https://access.redhat.com/errata/RHSA-2019:1258"}]}},"nvd":{"publishedDate":"2018-01-25 16:29:00","lastModifiedDate":"2023-11-07 02:39:00","problem_types":["NVD-CWE-noinfo"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":6.5},"severity":"MEDIUM","exploitabilityScore":8,"impactScore":6.4,"acInsufInfo":true,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:26:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*","versionStartIncluding":"10.2.0","versionEndExcluding":"10.2.10","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*","versionEndExcluding":"10.1.30","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:percona:xtradb_cluster:*:*:*:*:*:*:*:*","versionStartIncluding":"5.7.0","versionEndExcluding":"5.7.19-29.22-3","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:percona:xtradb_cluster:*:*:*:*:*:*:*:*","versionEndExcluding":"5.6.37-26.21-3","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2017","CveId":"15365","Ordinal":"112869","Title":"CVE-2017-15365","CVE":"CVE-2017-15365","Year":"2017"},"notes":[{"CveYear":"2017","CveId":"15365","Ordinal":"1","NoteData":"sql/event_data_objects.cc in MariaDB before 10.1.30 and 10.2.x before 10.2.10 and Percona XtraDB Cluster before 5.6.37-26.21-3 and 5.7.x before 5.7.19-29.22-3 allows remote authenticated users with SQL access to bypass intended access restrictions and replicate data definition language (DDL) statements to cluster nodes by leveraging incorrect ordering of DDL replication and ACL checking.","Type":"Description","Title":null},{"CveYear":"2017","CveId":"15365","Ordinal":"2","NoteData":"2018-01-25","Type":"Other","Title":"Published"},{"CveYear":"2017","CveId":"15365","Ordinal":"3","NoteData":"2019-05-21","Type":"Other","Title":"Modified"}]}}}