mariadb is vulnerable to SQL Injection
81
High Risk
The connector escapes Buffer query parameters with a byte-wise routine that inserts a backslash before quote and backslash bytes without accounting for multi-byte client charsets. When the connection uses a big5, gbk, sjis, cp932, or gb18030 charset, a crafted multi-byte sequence can absorb the inserted backslash so an attacker-influenced buffer breaks out of the surrounding string literal and injects arbitrary SQL. An attacker who controls the content of a buffer parameter can alter query structure and read or modify data beyond the intended statement. The fix adds charset-aware escaping that keeps valid multi-byte characters intact and escapes lone lead bytes so they cannot combine with following bytes on the wire.
You are affected if you are using a version that falls within the vulnerable range and connecting with a big5, gbk, sjis, cp932, or gb18030 client charset.
mariadb is vulnerable to SQL Injection in versions 0.7.0 - 3.2.3, 3.3.0 - 3.3.2, 3.4.0 - 3.4.5 and 3.5.1 - 3.5.2.
Upgrade the mariadb library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant