4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
0.002 Low
EPSS
Percentile
54.1%
Oracle MySQL before 5.7.3, Oracle MySQL Connector/C (aka libmysqlclient)
before 6.1.3, and MariaDB before 5.5.44 use the --ssl option to mean that
SSL is optional, which allows man-in-the-middle attackers to spoof servers
via a cleartext-downgrade attack, aka a “BACKRONYM” attack.
Author | Note |
---|---|
tyhicks | The MySQL documentation makes the behavior of the --ssl option clear. It isn’t known if they’ll release updates for the 5.5/5.6 series. |
mdeslaur | not included in 5.5.47 or 5.6.28. Marking this issue as “ignored” since it doesn’t look like upstream is going to fix this in 5.5 and 5.6, and we aren’t going to diverge from upstream. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 15.04 | noarch | mariadb-10.0 | < 10.0.20-0ubuntu0.15.04.1 | UNKNOWN |
ubuntu | 15.10 | noarch | mariadb-10.0 | < 10.0.22-0ubuntu0.15.10.1 | UNKNOWN |
ubuntu | 16.04 | noarch | mariadb-10.0 | < 10.0.22-0ubuntu1 | UNKNOWN |
ubuntu | 16.10 | noarch | mariadb-10.0 | < 10.0.22-0ubuntu1 | UNKNOWN |
ubuntu | 14.04 | noarch | mariadb-5.5 | < 5.5.44-1ubuntu0.14.04.1 | UNKNOWN |
ubuntu | 14.10 | noarch | mariadb-5.5 | < 5.5.44-1ubuntu0.14.10.1 | UNKNOWN |
ubuntu | 16.04 | noarch | percona-server-5.6 | < any | UNKNOWN |
dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-3.html
mysqlblog.fivefarmers.com/2015/04/29/ssltls-in-5-6-and-5-5-ocert-advisory/
www.ocert.org/advisories/ocert-2015-003.html
launchpad.net/bugs/cve/CVE-2015-3152
nvd.nist.gov/vuln/detail/CVE-2015-3152
security-tracker.debian.org/tracker/CVE-2015-3152
www.cve.org/CVERecord?id=CVE-2015-3152
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
0.002 Low
EPSS
Percentile
54.1%