Detections
Analytics

NewStart CGSL MAIN 7.02 : mariadb Multiple Vulnerabilities (NS-SA-2025-0114)

medium Nessus Plugin ID 242740

Synopsis

The remote NewStart CGSL host is affected by multiple vulnerabilities.

Description

The remote NewStart CGSL host, running version MAIN 7.02, has mariadb packages installed that are affected by multiple vulnerabilities:

 - Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.
 Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2025-21490)

 - MariaDB Server 10.4 before 10.4.33, 10.5 before 10.5.24, 10.6 before 10.6.17, 10.7 through 10.11 before 10.11.7, 11.0 before 11.0.5, and 11.1 before 11.1.4 calls fix_fields_if_needed under mysql_derived_prepare when derived is not yet prepared, leading to a find_field_in_table crash. (CVE-2023-52968)

 - MariaDB Server 10.4 through 10.5.*, 10.6 through 10.6.*, 10.7 through 10.11.*, and 11.0 through 11.0.* can sometimes crash with an empty backtrace log. This may be related to make_aggr_tables_info and optimize_stage2. (CVE-2023-52969)

 - MariaDB Server 10.4 through 10.5.*, 10.6 through 10.6.*, 10.7 through 10.11.*, 11.0 through 11.0.*, and 11.1 through 11.4.* crashes in Item_direct_view_ref::derived_field_transformer_for_where. (CVE-2023-52970)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the vulnerable CGSL mariadb packages. Note that updated packages may not be available yet. Please contact ZTE for more information.

See Also

https://security.gd-linux.com/notice/NS-SA-2025-0114

https://security.gd-linux.com/info/CVE-2023-52968

https://security.gd-linux.com/info/CVE-2023-52969

https://security.gd-linux.com/info/CVE-2023-52970

https://security.gd-linux.com/info/CVE-2025-21490

Plugin Details

Severity: Medium

ID: 242740

File Name: newstart_cgsl_NS-SA-2025-0114_mariadb.nasl

Version: 1.1

Type: local

Published: 7/25/2025

Updated: 7/25/2025

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 4.5

Vector: CVSS2#AV:N/AC:L/Au:M/C:N/I:N/A:C

CVSS Score Source: CVE-2025-21490

CVSS v3

Risk Factor: Medium

Base Score: 4.9

Temporal Score: 4.3

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:zte:cgsl_main:mariadb-errmsg, p-cpe:/a:zte:cgsl_main:mariadb-server-utils, p-cpe:/a:zte:cgsl_main:mariadb-gssapi-server, p-cpe:/a:zte:cgsl_main:mariadb-backup, p-cpe:/a:zte:cgsl_main:mariadb-server, cpe:/o:zte:cgsl_main:7, p-cpe:/a:zte:cgsl_main:mariadb, p-cpe:/a:zte:cgsl_main:mariadb-common

Required KB Items: Host/local_checks_enabled, Host/ZTE-CGSL/release, Host/ZTE-CGSL/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 7/25/2025

Vulnerability Publication Date: 8/1/2024

Reference Information

CVE: CVE-2023-52968, CVE-2023-52969, CVE-2023-52970, CVE-2025-21490