CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
EPSS
Percentile
76.8%
The vio_verify_callback function in viosslfactories.c in MySQL 5.0.x before
5.0.88 and 5.1.x before 5.1.41, when OpenSSL is used, accepts a value of
zero for the depth of X.509 certificates, which allows man-in-the-middle
attackers to spoof arbitrary SSL-based MySQL servers via a crafted
certificate, as demonstrated by a certificate presented by a server linked
against the yaSSL library.
Author | Note |
---|---|
mdeslaur | dapper doesnโt build with ssl hardy+ builds with yaSSL none of our releases are vulnerable, as the yaSSL code ignores the verify callback (see mysql bug) |