CVE-2017-10789

MEDIUM5.9

The DBD::mysql module through 4

Published Jul 1, 2017

Modified 1 years ago

Details

The DBD::mysql module through 4.043 for Perl uses the mysql_ssl=1 setting to mean that SSL is optional (even though this setting's documentation has a "your communication with the server will be encrypted" statement), which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, a related issue to CVE-2015-3152.

References

WEBhttp://www.securityfocus.com/bid/99364 WEBhttps://github.com/perl5-dbi/DBD-mysql/issues/110 WEBhttps://github.com/perl5-dbi/DBD-mysql/issues/140 WEBhttps://github.com/perl5-dbi/DBD-mysql/pull/114 ADVISORYhttps://www.cve.org/CVERecord?id=CVE-2017-10789

CVSS Analysis

CVSS v3.0

5.9

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

HighAC:H

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Scope

UnchangedS:U

Impact

Confidentiality

NoneC:N

Integrity

HighI:H

Availability

NoneA:N

5.9/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Ecosystems

Timeline

PublishedJul 1, 2017

ModifiedAug 5, 2024