Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2015-3152

Опубликовано: 29 апр. 2015
Источник: redhat
CVSS2: 4.3
EPSS Средний

Описание

Oracle MySQL before 5.7.3, Oracle MySQL Connector/C (aka libmysqlclient) before 6.1.3, and MariaDB before 5.5.44 use the --ssl option to mean that SSL is optional, which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, aka a "BACKRONYM" attack.

It was found that the MySQL client library permitted but did not require a client to use SSL/TLS when establishing a secure connection to a MySQL server using the "--ssl" option. A man-in-the-middle attacker could use this flaw to strip the SSL/TLS protection from a connection between a client and a server.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 5mysql55-mysqlWill not fix
Red Hat Enterprise Linux 6mysqlWill not fix
Red Hat Enterprise Linux OpenStack Platform 5 (Icehouse)mariadb-galeraWill not fix
Red Hat Enterprise Linux OpenStack Platform 6 (Juno)mariadb-galeraWill not fix
Red Hat Software Collectionsmysql55-mysqlWill not fix
Red Hat Software Collectionsrh-mysql56-mysqlWill not fix
Red Hat Enterprise Linux 7mariadbFixedRHSA-2015:166524.08.2015
Red Hat Software Collections for Red Hat Enterprise Linux 6rh-mariadb100-mariadbFixedRHSA-2015:164620.08.2015
Red Hat Software Collections for Red Hat Enterprise Linux 6mariadb55-mariadbFixedRHSA-2015:164720.08.2015
Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUSrh-mariadb100-mariadbFixedRHSA-2015:164620.08.2015

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
https://bugzilla.redhat.com/show_bug.cgi?id=1217506mysql: use of SSL/TLS can not be enforced in mysql client library (oCERT-2015-003, BACKRONYM)

EPSS

Процентиль: 98%
0.54248
Средний

4.3 Medium

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2015-3152

CVSS3: 5.9
ubuntu
около 9 лет назад

Oracle MySQL before 5.7.3, Oracle MySQL Connector/C (aka libmysqlclient) before 6.1.3, and MariaDB before 5.5.44 use the --ssl option to mean that SSL is optional, which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, aka a "BACKRONYM" attack.

nvd логотип

CVE-2015-3152

CVSS3: 5.9
nvd
около 9 лет назад

Oracle MySQL before 5.7.3, Oracle MySQL Connector/C (aka libmysqlclient) before 6.1.3, and MariaDB before 5.5.44 use the --ssl option to mean that SSL is optional, which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, aka a "BACKRONYM" attack.

debian логотип

CVE-2015-3152

CVSS3: 5.9
debian
около 9 лет назад

Oracle MySQL before 5.7.3, Oracle MySQL Connector/C (aka libmysqlclien ...

github логотип

GHSA-p7qr-v5jx-7qv3

CVSS3: 5.9
github
около 3 лет назад

Oracle MySQL before 5.7.3, Oracle MySQL Connector/C (aka libmysqlclient) before 6.1.3, and MariaDB before 5.5.44 use the --ssl option to mean that SSL is optional, which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, aka a "BACKRONYM" attack.

suse-cvrf логотип

SUSE-SU-2015:1273-1

suse-cvrf
почти 10 лет назад

Security update for mariadb

EPSS

Процентиль: 98%
0.54248
Средний

4.3 Medium

CVSS2