5.9

CVE-2015-3152

Exploit

Oracle MySQL before 5.7.3, Oracle MySQL Connector/C (aka libmysqlclient) before 6.1.3, and MariaDB before 5.5.44 use the --ssl option to mean that SSL is optional, which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, aka a "BACKRONYM" attack.

Data is provided by the National Vulnerability Database (NVD)
OracleMysql Version <= 5.7.2
MariadbMariadb Version >= 5.5.0 < 5.5.44
MariadbMariadb Version >= 10.0.0 < 10.0.20
FedoraprojectFedora Version21
FedoraprojectFedora Version22
DebianDebian Linux Version8.0
RedhatEnterprise Linux Eus Version7.1
RedhatEnterprise Linux Eus Version7.2
RedhatEnterprise Linux Eus Version7.3
RedhatEnterprise Linux Eus Version7.4
RedhatEnterprise Linux Eus Version7.5
RedhatEnterprise Linux Eus Version7.6
RedhatEnterprise Linux Eus Version7.7
PhpPhp Version >= 5.4.0 < 5.4.43
PhpPhp Version >= 5.5.0 < 5.5.27
PhpPhp Version >= 5.6.0 < 5.6.11
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 32.48% 0.967
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 5.9 2.2 3.6
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:P/A:N
CWE-295 Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

http://www.securityfocus.com/bid/74398
Third Party Advisory
VDB Entry
http://www.securitytracker.com/id/1032216
Third Party Advisory
VDB Entry
https://jira.mariadb.org/browse/MDEV-7937
Vendor Advisory
Issue Tracking