CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
54.4%
Oracle MySQL before 5.7.3, Oracle MySQL Connector/C (aka libmysqlclient) before 6.1.3, and MariaDB before 5.5.44 use the --ssl option to mean that SSL is optional, which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, aka a “BACKRONYM” attack.
Vendor | Product | Version | CPE |
---|---|---|---|
oracle | mysql | * | cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:* |
oracle | mysql_connector\/c | * | cpe:2.3:a:oracle:mysql_connector\/c:*:*:*:*:*:*:*:* |
mariadb | mariadb | * | cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:* |
fedoraproject | fedora | 21 | cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:* |
fedoraproject | fedora | 22 | cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:* |
debian | debian_linux | 8.0 | cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:* |
redhat | enterprise_linux_desktop | 7.0 | cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:* |
redhat | enterprise_linux_eus | 7.1 | cpe:2.3:o:redhat:enterprise_linux_eus:7.1:*:*:*:*:*:*:* |
redhat | enterprise_linux_eus | 7.2 | cpe:2.3:o:redhat:enterprise_linux_eus:7.2:*:*:*:*:*:*:* |
redhat | enterprise_linux_eus | 7.3 | cpe:2.3:o:redhat:enterprise_linux_eus:7.3:*:*:*:*:*:*:* |
lists.fedoraproject.org/pipermail/package-announce/2015-July/161436.html
lists.fedoraproject.org/pipermail/package-announce/2015-July/161625.html
mysqlblog.fivefarmers.com/2014/04/02/redefining-ssl-option/
mysqlblog.fivefarmers.com/2015/04/29/ssltls-in-5-6-and-5-5-ocert-advisory/
packetstormsecurity.com/files/131688/MySQL-SSL-TLS-Downgrade.html
rhn.redhat.com/errata/RHSA-2015-1646.html
rhn.redhat.com/errata/RHSA-2015-1647.html
rhn.redhat.com/errata/RHSA-2015-1665.html
www.debian.org/security/2015/dsa-3311
www.ocert.org/advisories/ocert-2015-003.html
www.securityfocus.com/archive/1/535397/100/1100/threaded
www.securityfocus.com/bid/74398
www.securitytracker.com/id/1032216
access.redhat.com/security/cve/cve-2015-3152
github.com/mysql/mysql-server/commit/3bd5589e1a5a93f9c224badf983cd65c45215390
jira.mariadb.org/browse/MDEV-7937
www.duosecurity.com/blog/backronym-mysql-vulnerability
More
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
54.4%