In MariaDB server version through 11.8.5, when server audit plugin is enabled with server_audit_events variable configured with QUERY_DCL, QUERY_DDL, or QUERY_DML filtering, if an authenticated database user invokes a SQL statement prefixed with double-hyphen (—) or hash (#) style comments, the statement is not logged.
| Version | Score | Severity | Vector String |
|---|---|---|---|
| 4.0 | 5.3 | Medium | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
| 3.1 | 4.3 | Medium | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
| Product | Vendor | Version |
|---|---|---|
| MariaDB Server | MariaDB Foundation | < 10.0.22631.5624 |
| Aurora MySQL | Amazon | < 10.0.19044.6216 |
| RDS for MySQL | Amazon | < 10.0.26100.4652 |
| RDS for MariaDB | Amazon | < 6.1.7601.27820 |