Lucene search

[email protected]NVD:CVE-2009-4028

HistoryNov 30, 2009 - 5:30 p.m.

CVE-2009-4028

2009-11-3017:30:00

CWE-20

[email protected]

web.nvd.nist.gov

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

6 Medium

AI Score

Confidence

Low

0.005 Low

EPSS

Percentile

76.9%

JSON

The vio_verify_callback function in viosslfactories.c in MySQL 5.0.x before 5.0.88 and 5.1.x before 5.1.41, when OpenSSL is used, accepts a value of zero for the depth of X.509 certificates, which allows man-in-the-middle attackers to spoof arbitrary SSL-based MySQL servers via a crafted certificate, as demonstrated by a certificate presented by a server linked against the yaSSL library.

Affected configurations

NVD

Node

mysqlmysqlRange≤5.0.87

mysqlmysqlMatch5.0.0

mysqlmysqlMatch5.0.1

mysqlmysqlMatch5.0.2

mysqlmysqlMatch5.0.3

mysqlmysqlMatch5.0.4

mysqlmysqlMatch5.0.5

mysqlmysqlMatch5.0.5.0.21

mysqlmysqlMatch5.0.10

mysqlmysqlMatch5.0.15

mysqlmysqlMatch5.0.16

mysqlmysqlMatch5.0.17

mysqlmysqlMatch5.0.20

mysqlmysqlMatch5.0.22.1.0.1

mysqlmysqlMatch5.0.24

mysqlmysqlMatch5.0.30

mysqlmysqlMatch5.0.36

mysqlmysqlMatch5.0.44

mysqlmysqlMatch5.0.54

mysqlmysqlMatch5.0.56

mysqlmysqlMatch5.0.60

mysqlmysqlMatch5.0.66

mysqlmysqlMatch5.0.82

mysqlmysqlMatch5.0.84

mysqlmysqlMatch5.1.5

mysqlmysqlMatch5.1.23

mysqlmysqlMatch5.1.31

mysqlmysqlMatch5.1.32

mysqlmysqlMatch5.1.34

mysqlmysqlMatch5.1.37

oraclemysqlMatch5.0.0alpha

oraclemysqlMatch5.0.3beta

oraclemysqlMatch5.0.6

oraclemysqlMatch5.0.7

oraclemysqlMatch5.0.8

oraclemysqlMatch5.0.11

oraclemysqlMatch5.0.12

oraclemysqlMatch5.0.13

oraclemysqlMatch5.0.14

oraclemysqlMatch5.0.18

oraclemysqlMatch5.0.19

oraclemysqlMatch5.0.21

oraclemysqlMatch5.0.22

oraclemysqlMatch5.0.23

oraclemysqlMatch5.0.25

oraclemysqlMatch5.0.26

oraclemysqlMatch5.0.27

oraclemysqlMatch5.0.30sp1

oraclemysqlMatch5.0.32

oraclemysqlMatch5.0.33

oraclemysqlMatch5.0.37

oraclemysqlMatch5.0.38

oraclemysqlMatch5.0.41

oraclemysqlMatch5.0.42

oraclemysqlMatch5.0.45

oraclemysqlMatch5.0.50

oraclemysqlMatch5.0.51

oraclemysqlMatch5.0.52

oraclemysqlMatch5.0.75

oraclemysqlMatch5.0.77

oraclemysqlMatch5.0.81

oraclemysqlMatch5.0.83

oraclemysqlMatch5.0.85

oraclemysqlMatch5.0.86

oraclemysqlMatch5.1

oraclemysqlMatch5.1.1

oraclemysqlMatch5.1.2

oraclemysqlMatch5.1.3

oraclemysqlMatch5.1.4

oraclemysqlMatch5.1.6

oraclemysqlMatch5.1.7

oraclemysqlMatch5.1.8

oraclemysqlMatch5.1.9

oraclemysqlMatch5.1.10

oraclemysqlMatch5.1.11

oraclemysqlMatch5.1.12

oraclemysqlMatch5.1.13

oraclemysqlMatch5.1.14

oraclemysqlMatch5.1.15

oraclemysqlMatch5.1.16

oraclemysqlMatch5.1.17

oraclemysqlMatch5.1.18

oraclemysqlMatch5.1.19

oraclemysqlMatch5.1.20

oraclemysqlMatch5.1.21

oraclemysqlMatch5.1.22

oraclemysqlMatch5.1.23a

oraclemysqlMatch5.1.24

oraclemysqlMatch5.1.25

oraclemysqlMatch5.1.26

oraclemysqlMatch5.1.27

oraclemysqlMatch5.1.28

oraclemysqlMatch5.1.29

oraclemysqlMatch5.1.30

oraclemysqlMatch5.1.31sp1

oraclemysqlMatch5.1.33

oraclemysqlMatch5.1.34sp1

oraclemysqlMatch5.1.35

oraclemysqlMatch5.1.36

oraclemysqlMatch5.1.37sp1

oraclemysqlMatch5.1.38

oraclemysqlMatch5.1.39

oraclemysqlMatch5.1.40

oraclemysqlMatch5.1.40sp1

References

bugs.mysql.com/47320

dev.mysql.com/doc/refman/5.0/en/news-5-0-88.html

dev.mysql.com/doc/refman/5.1/en/news-5-1-41.html

lists.mysql.com/commits/87446

lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html

marc.info/?l=oss-security&m=125881733826437&w=2

www.openwall.com/lists/oss-security/2009/11/19/3

www.openwall.com/lists/oss-security/2009/11/23/16

www.redhat.com/support/errata/RHSA-2010-0109.html

www.vupen.com/english/advisories/2010/1107

oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10940

oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8510

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

6 Medium

AI Score

Confidence

Low

0.005 Low

EPSS

Percentile

76.9%

JSON

Related for NVD:CVE-2009-4028

seebug1 prion1 ubuntucve1 veracode1 cve1 cvelist1 openvas17 fedora2 nessus20 securityvulns2 centos1 oraclelinux1 redhat1 gentoo1