MariaDB Galera hits CVSS 10.0: unauthenticated RCE through a clustering feature

A privileged remote attacker can inject arbitrary OS commands into the IEI iVEC Virtualization Edge Computer and run them on the device. You need elevated access to exploit this, which lowers the real-world risk somewhat, but if an attacker already has a privileged session (or steals one), they own the box completely.

Included because

command injection; network-reachable management interface; edge appliance often internet-adjacent

Affected estate

IEI Integration Corp iVEC-IEI Virtualization Edge Computer appliances.

How to check

Log into the iVEC management console and verify the firmware version against IEI's advisory.

Action

Update firmware to the patched version. If unavailable, isolate the management interface behind a firewall or VPN.

Urgency

Patch this week

Why it matters

Full OS command execution on an edge compute appliance gives an attacker a pivot point into your network.

Source

IEI Integration Corp advisory

This is a CVSS 10.0. If you run MariaDB with Galera replication and have `wsrep_notify_cmd` enabled, an attacker who controls the joiner node name can embed shell commands in it and the server will execute them. That's full remote code execution with no authentication required, straight through a clustering feature. The blast radius covers MariaDB 10.6.1 through 10.6.26, 10.11.1 through 10.11.17, 11.4.1 through 11.4.11, 11.8.1 through 11.8.7, and 12.3.1.

Included because

unauthenticated; CVSS 10.0; shell injection; common database product; clustering often network-exposed between nodes

Affected estate

MariaDB versions 10.6.1-10.6.26, 10.11.1-10.11.17, 11.4.1-11.4.11, 11.8.1-11.8.7, and 12.3.1 with wsrep_notify_cmd configured.

How to check

Run `SELECT VERSION();` and check if `wsrep_notify_cmd` is set: `SHOW GLOBAL VARIABLES LIKE 'wsrep_notify_cmd';`. If it returns a non-empty value, you're exposed.

Action

Upgrade MariaDB to the fixed version for your branch. If that's not possible tonight, run `SET GLOBAL wsrep_notify_cmd='';` and remove it from your config file, then restart.

Urgency

Patch immediately

Why it matters

CVSS 10.0 unauthenticated RCE through a clustering feature. An attacker who can reach the Galera replication port can execute arbitrary commands as the MariaDB service user.

Source

MariaDB upstream advisory

A use-after-free bug in Chrome's Autofill feature on macOS lets an attacker corrupt heap memory through a crafted web page. All it takes is getting a user to visit a malicious site. Chromium rates this High severity, and at CVSS 8.8 it's worth patching quickly even though there's no known exploitation yet.

Included because

no user interaction beyond visiting a page; high CVSS; widely deployed browser; macOS-specific

Affected estate

Google Chrome on macOS prior to 149.0.7827.115. Other Chromium-based browsers on macOS may also be affected until they pull the upstream fix.

How to check

Open chrome://version or query your endpoint management tool for the Chrome version on macOS devices.

Action

Push Chrome 149.0.7827.115 or later through your MDM or software update tool. Confirm users restart the browser to apply the update.

Urgency

Patch within 24 hours

Why it matters

A single click on a malicious link could give an attacker heap corruption in the browser process, potentially leading to code execution on the endpoint.

Source

Google Chrome Releases / Chromium security advisory

A use-after-free in MongoDB's server-side JavaScript engine lets an authenticated user with read privileges leak process memory or crash the server. The attacker needs to be able to run server-side JS, which means using operators like $where or $function. If you've disabled server-side JavaScript (which many hardening guides recommend), you're not exposed.

Included because

authenticated but low privilege bar; common database product; info disclosure and DoS; server-side JS enabled by default

Affected estate

MongoDB Server instances with server-side JavaScript enabled (the default). All versions containing the vulnerable BSON-to-JS-array conversion code.

How to check

Connect with `mongosh` and run `db.adminCommand({getParameter: 1, javascriptEnabled: 1})`. If it returns true and you have users with read privileges, you're exposed.

Action

Upgrade to the patched MongoDB version. If you can't upgrade quickly, set `security.javascriptEnabled: false` and restart mongod.

Urgency

Patch this week

Why it matters

An authenticated user with basic read access can crash your database or leak sensitive data from mongod process memory.

Source

MongoDB Server advisory