CVE-2025-14758
📋 TL;DR
This vulnerability allows an on-path attacker to read database contents, including potentially sensitive credentials, due to incorrect replication security configuration in MariaDB within the YAOOK Operator's infra-operator component. It affects systems running vulnerable versions of YAOOK Operator with the infra-operator component enabled. Attackers must be positioned on the network path between replication nodes.
💻 Affected Systems
- YAOOK Operator
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of database contents including credentials, leading to lateral movement, data exfiltration, and potential full system compromise.
Likely Case
Unauthorized reading of sensitive database information, potentially exposing credentials and other confidential data.
If Mitigated
Limited exposure of non-sensitive data if proper network segmentation and encryption are in place.
🎯 Exploit Status
Exploitation requires network positioning between replication nodes and understanding of MariaDB replication protocols. No authentication needed once positioned correctly.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in reference, but fix is available according to GitLab issue
Vendor Advisory: https://gitlab.com/yaook/operator/-/issues/631
Restart Required: Yes
Instructions:
1. Update YAOOK Operator to the latest version. 2. Ensure infra-operator component is updated. 3. Restart affected services. 4. Verify replication security configuration is properly applied.
🔧 Temporary Workarounds
Enable TLS for MariaDB replication
allConfigure MariaDB replication to use TLS encryption to prevent on-path interception
# Configure MariaDB with SSL/TLS for replication
# Set ssl-ca, ssl-cert, ssl-key parameters in my.cnf
# Configure CHANGE MASTER TO with SSL options
Network segmentation
linuxIsolate replication traffic to a dedicated, secured network segment
# Use firewall rules to restrict replication traffic
# Example: iptables -A INPUT -p tcp --dport 3306 -s [replica_ip] -j ACCEPT
🧯 If You Can't Patch
- Implement strict network segmentation to isolate replication traffic from untrusted networks.
- Enable and enforce TLS encryption for all MariaDB replication connections.
🔍 How to Verify
Check if Vulnerable:
Check if running vulnerable YAOOK Operator version with infra-operator enabled and MariaDB replication configured without proper security (TLS). Review replication configuration in MariaDB.Check Version:
kubectl get pods -n [yaook-namespace] -o jsonpath='{.items[*].spec.containers[*].image}' | grep yaook/operatorVerify Fix Applied:
Verify YAOOK Operator is updated to patched version, check that replication connections are using TLS, and confirm no unencrypted replication traffic is detectable.📡 Detection & Monitoring
Log Indicators:
- Unauthorized connection attempts to replication ports
- Replication errors or warnings in MariaDB logs
- Unusual data access patterns from replication nodes
Network Indicators:
- Unencrypted replication traffic on port 3306 between nodes
- Unexpected sources connecting to replication ports
SIEM Query:
source="mariadb.log" AND ("replication" AND ("error" OR "warning" OR "unauthorized")) OR destination_port=3306 AND NOT protocol="TLS"