5.9
CVE-2015-3152
- EPSS 7.08%
- Veröffentlicht 16.05.2016 10:59:01
- Zuletzt bearbeitet 06.05.2026 22:30:45
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
Oracle MySQL before 5.7.3, Oracle MySQL Connector/C (aka libmysqlclient) before 6.1.3, and MariaDB before 5.5.44 use the --ssl option to mean that SSL is optional, which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, aka a "BACKRONYM" attack.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Fedoraproject ≫ Fedora Version21
Fedoraproject ≫ Fedora Version22
Debian ≫ Debian Linux Version8.0
Redhat ≫ Enterprise Linux Desktop Version7.0
Redhat ≫ Enterprise Linux Eus Version7.1
Redhat ≫ Enterprise Linux Eus Version7.2
Redhat ≫ Enterprise Linux Eus Version7.3
Redhat ≫ Enterprise Linux Eus Version7.4
Redhat ≫ Enterprise Linux Eus Version7.5
Redhat ≫ Enterprise Linux Eus Version7.6
Redhat ≫ Enterprise Linux Eus Version7.7
Redhat ≫ Enterprise Linux Server Version7.0
Redhat ≫ Enterprise Linux Server Aus Version7.3
Redhat ≫ Enterprise Linux Server Aus Version7.4
Redhat ≫ Enterprise Linux Server Aus Version7.6
Redhat ≫ Enterprise Linux Server Aus Version7.7
Redhat ≫ Enterprise Linux Server Tus Version7.3
Redhat ≫ Enterprise Linux Server Tus Version7.6
Redhat ≫ Enterprise Linux Server Tus Version7.7
Redhat ≫ Enterprise Linux Workstation Version7.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 7.08% | 0.934 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.9 | 2.2 | 3.6 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
|
| nvd@nist.gov | 4.3 | 8.6 | 2.9 |
AV:N/AC:M/Au:N/C:N/I:P/A:N
|
CWE-295 Improper Certificate Validation
The product does not validate, or incorrectly validates, a certificate.
http://rhn.redhat.com/errata/RHSA-2015-1647.html
http://rhn.redhat.com/errata/RHSA-2015-1665.html
http://www.debian.org/security/2015/dsa-3311
http://rhn.redhat.com/errata/RHSA-2015-1646.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-July/161436.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-July/161625.html
http://mysqlblog.fivefarmers.com/2014/04/02/redefining-ssl-option/
http://mysqlblog.fivefarmers.com/2015/04/29/ssltls-in-5-6-and-5-5-ocert-advisory/
http://packetstormsecurity.com/files/131688/MySQL-SSL-TLS-Downgrade.html
http://www.ocert.org/advisories/ocert-2015-003.html
http://www.securityfocus.com/archive/1/535397/100/1100/threaded
http://www.securityfocus.com/bid/74398
http://www.securitytracker.com/id/1032216
https://access.redhat.com/security/cve/cve-2015-3152
https://github.com/mysql/mysql-server/commit/3bd5589e1a5a93f9c224badf983cd65c45215390
https://jira.mariadb.org/browse/MDEV-7937
https://www.duosecurity.com/blog/backronym-mysql-vulnerability