5.9

CVE-2015-3152

Exploit
Oracle MySQL before 5.7.3, Oracle MySQL Connector/C (aka libmysqlclient) before 6.1.3, and MariaDB before 5.5.44 use the --ssl option to mean that SSL is optional, which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, aka a "BACKRONYM" attack.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
OracleMysql Version <= 5.7.2
MariadbMariadb Version >= 5.5.0 < 5.5.44
MariadbMariadb Version >= 10.0.0 < 10.0.20
FedoraprojectFedora Version21
FedoraprojectFedora Version22
DebianDebian Linux Version8.0
RedhatEnterprise Linux Eus Version7.1
RedhatEnterprise Linux Eus Version7.2
RedhatEnterprise Linux Eus Version7.3
RedhatEnterprise Linux Eus Version7.4
RedhatEnterprise Linux Eus Version7.5
RedhatEnterprise Linux Eus Version7.6
RedhatEnterprise Linux Eus Version7.7
PhpPhp Version >= 5.4.0 < 5.4.43
PhpPhp Version >= 5.5.0 < 5.5.27
PhpPhp Version >= 5.6.0 < 5.6.11
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 7.08% 0.934
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.9 2.2 3.6
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:P/A:N
CWE-295 Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

http://rhn.redhat.com/errata/RHSA-2015-1647.html
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2015-1665.html
Third Party Advisory
http://www.debian.org/security/2015/dsa-3311
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2015-1646.html
Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-July/161436.html
Third Party Advisory
Mailing List
http://lists.fedoraproject.org/pipermail/package-announce/2015-July/161625.html
Third Party Advisory
Mailing List
http://mysqlblog.fivefarmers.com/2014/04/02/redefining-ssl-option/
Third Party Advisory
Exploit
http://mysqlblog.fivefarmers.com/2015/04/29/ssltls-in-5-6-and-5-5-ocert-advisory/
Third Party Advisory
http://packetstormsecurity.com/files/131688/MySQL-SSL-TLS-Downgrade.html
Third Party Advisory
VDB Entry
http://www.ocert.org/advisories/ocert-2015-003.html
Vendor Advisory
http://www.securityfocus.com/archive/1/535397/100/1100/threaded
Third Party Advisory
VDB Entry
http://www.securityfocus.com/bid/74398
Third Party Advisory
VDB Entry
http://www.securitytracker.com/id/1032216
Third Party Advisory
VDB Entry
https://access.redhat.com/security/cve/cve-2015-3152
Third Party Advisory
https://github.com/mysql/mysql-server/commit/3bd5589e1a5a93f9c224badf983cd65c45215390
Patch
Third Party Advisory
https://jira.mariadb.org/browse/MDEV-7937
Vendor Advisory
Issue Tracking
https://www.duosecurity.com/blog/backronym-mysql-vulnerability
Third Party Advisory