CVE-2015-3152 Information

Share on:

Feb 14, 2021 cve

Description

Oracle MySQL before 5.7.3 Oracle MySQL Connector/C (aka libmysqlclient) before 6.1.3 and MariaDB before 5.5.44 use the –ssl option to mean that SSL is optional which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack aka a \BACKRONYM\ attack.

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Reference

http://lists.fedoraproject.org/pipermail/package-announce/2015-July/161436.html http://lists.fedoraproject.org/pipermail/package-announce/2015-July/161625.html http://mysqlblog.fivefarmers.com/2014/04/02/redefining-ssl-option/ http://mysqlblog.fivefarmers.com/2015/04/29/ssltls-in-5-6-and-5-5-ocert-advisory/ http://packetstormsecurity.com/files/131688/MySQL-SSL-TLS-Downgrade.html http://rhn.redhat.com/errata/RHSA-2015-1646.html http://rhn.redhat.com/errata/RHSA-2015-1647.html http://rhn.redhat.com/errata/RHSA-2015-1665.html http://www.debian.org/security/2015/dsa-3311 http://www.ocert.org/advisories/ocert-2015-003.html http://www.securityfocus.com/archive/1/535397/100/1100/threaded http://www.securityfocus.com/bid/74398 http://www.securitytracker.com/id/1032216 https://access.redhat.com/security/cve/cve-2015-3152 https://github.com/mysql/mysql-server/commit/3bd5589e1a5a93f9c224badf983cd65c45215390 https://jira.mariadb.org/browse/MDEV-7937 https://www.duosecurity.com/blog/backronym-mysql-vulnerability

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

HIGH

Base Score

NONE

Base Severity

5.9