CVE-2023-39593
Public on 2024-10-17
Modified on 2025-08-04
Description
Insecure permissions in the sys_exec function of MariaDB v10.5 allows authenticated attackers to execute arbitrary commands with elevated privileges. NOTE: this is disputed by the MariaDB Foundation because no privilege boundary is crossed.
It is not clear that this is a legitimate issue affecting MariaDB. The MariaDB Foundation disputes this CVE because it argues that no privilege boundary is crossed. Additionally, the impact of fixing this issue would greatly affect workflows that use User Defined Functions (UDF). Considering the tradeoff between the stability of Amazon Linux and the potential impact of CVE-2023-39593, a fix will not be provided for mariadb at this time.
It is not clear that this is a legitimate issue affecting MariaDB. The MariaDB Foundation disputes this CVE because it argues that no privilege boundary is crossed. Additionally, the impact of fixing this issue would greatly affect workflows that use User Defined Functions (UDF). Considering the tradeoff between the stability of Amazon Linux and the potential impact of CVE-2023-39593, a fix will not be provided for mariadb at this time.
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | mariadb | No Fix Planned | ||
| Amazon Linux 2 - Mariadb10.5 Extra | mariadb | No Fix Planned | ||
| Amazon Linux 2023 | mariadb105 | No Fix Planned |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 4.7 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L |