Detections
Analytics
Alpine: multiple mariadb packages: security update to 10.11.17-r0
medium Tenable Cloud Security Plugin ID 442363
Description
There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:- MariaDB server is a community developed fork of MySQL server. In versions 3.3.18 and 3.4.8, an application
that was taking non-validated user input, escaping it with mysql_real_escape_string() and sending it to
the database using text protocol and big5 character set was vulnerable to SQL injections, even though
mysql_real_escape_string() was supposed to prevent them. This issue has been patched in versions 3.3.19
and 3.4.9. (CVE-2026-44172)
- MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26,
10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, during the SST
the donor node is interpolating parameters that the joiner sent into the command line. Not all parameters
were properly validated which could allow a malicious joiner to execute arbitrary shell commands on the
donor side via the mariabackup SST method. This issue has been patched in versions 10.6.26, 10.11.17,
11.4.11, 11.8.7, and 12.3.2. (CVE-2026-44168)
- MariaDB server is a community developed fork of MySQL server. From versions 11.4.1 to before 11.4.11,
11.8.1 to before 11.8.7, and 12.3.1, a user getting EXECUTE access to a stored routine via a role, could
see the routine definition even without SHOW CREATE ROUTINE privilege. This issue has been patched in
versions 11.4.11, 11.8.7, and 12.3.2. (CVE-2026-44169)
- MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26,
10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, MariaDB on
WIndows with installed CONNECT engine and enabled REST support interpolated table HTTP attribute into the
curl command line without proper sanitizing. This allows the user to execute shell commands on the server.
This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2. (CVE-2026-44170)
- MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26,
10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, mbstream did
not check for /../ in the path when unpacking the archive. A proper backup can never contain such paths,
but a specially crafted archive could have caused mbstream to create files outside of the target-dir path.
This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2. (CVE-2026-44171)
Solution
Update the mariadb library and its related packages to version 10.11.17-r0 or later.See Also
https://security.alpinelinux.org/vuln/CVE-2026-44168
https://security.alpinelinux.org/vuln/CVE-2026-44169
https://security.alpinelinux.org/vuln/CVE-2026-44170
https://security.alpinelinux.org/vuln/CVE-2026-44171
Plugin Details
Severity: Medium
ID: 442363
Version: Revision 1.7
Type: Local
Published: 5/26/2026
Updated: 6/22/2026
Supported Sensors: Agentless Assessment
Risk Information
VPR
Risk Factor: High
Score: 8.1
CVSS v2
Risk Factor: Critical
Base Score: 10
Temporal Score: 7.4
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS Score Source: CVE-2026-44172
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Temporal Score: 8.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
CVSS v4
Risk Factor: Medium
Base Score: 6.9
Threat Score: 2.7
Threat Vector: CVSS:4.0/E:U
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Vulnerability Information
Exploit Ease: No known exploits are available
Vulnerability Publication Date: 5/19/2026
Reference Information
CVE: CVE-2026-44168, CVE-2026-44169, CVE-2026-44170, CVE-2026-44171, CVE-2026-44172, CVE-2026-44173