Lucene search

[email protected]NVD:CVE-2015-3152

HistoryMay 16, 2016 - 10:59 a.m.

CVE-2015-3152

2016-05-1610:59:01

CWE-295

[email protected]

web.nvd.nist.gov

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

5.5 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

54.2%

JSON

Oracle MySQL before 5.7.3, Oracle MySQL Connector/C (aka libmysqlclient) before 6.1.3, and MariaDB before 5.5.44 use the --ssl option to mean that SSL is optional, which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, aka a “BACKRONYM” attack.

Affected configurations

NVD

Node

oraclemysqlRange≤5.7.2

oraclemysql_connector\/cRange≤6.1.2

Node

mariadbmariadbRange5.5.0–5.5.44

mariadbmariadbRange10.0.0–10.0.20

Node

fedoraprojectfedoraMatch21

fedoraprojectfedoraMatch22

Node

debiandebian_linuxMatch8.0

Node

redhatenterprise_linux_desktopMatch7.0

redhatenterprise_linux_eusMatch7.1

redhatenterprise_linux_eusMatch7.2

redhatenterprise_linux_eusMatch7.3

redhatenterprise_linux_eusMatch7.4

redhatenterprise_linux_eusMatch7.5

redhatenterprise_linux_eusMatch7.6

redhatenterprise_linux_eusMatch7.7

redhatenterprise_linux_serverMatch7.0

redhatenterprise_linux_server_ausMatch7.3

redhatenterprise_linux_server_ausMatch7.4

redhatenterprise_linux_server_ausMatch7.6

redhatenterprise_linux_server_ausMatch7.7

redhatenterprise_linux_server_tusMatch7.3

redhatenterprise_linux_server_tusMatch7.6

redhatenterprise_linux_server_tusMatch7.7

redhatenterprise_linux_workstationMatch7.0

Node

phpphpRange5.4.0–5.4.43

phpphpRange5.5.0–5.5.27

phpphpRange5.6.0–5.6.11

References

lists.fedoraproject.org/pipermail/package-announce/2015-July/161436.html

lists.fedoraproject.org/pipermail/package-announce/2015-July/161625.html

mysqlblog.fivefarmers.com/2014/04/02/redefining-ssl-option/

mysqlblog.fivefarmers.com/2015/04/29/ssltls-in-5-6-and-5-5-ocert-advisory/

packetstormsecurity.com/files/131688/MySQL-SSL-TLS-Downgrade.html

rhn.redhat.com/errata/RHSA-2015-1646.html

rhn.redhat.com/errata/RHSA-2015-1647.html

rhn.redhat.com/errata/RHSA-2015-1665.html

www.debian.org/security/2015/dsa-3311

www.ocert.org/advisories/ocert-2015-003.html

www.securityfocus.com/archive/1/535397/100/1100/threaded

www.securityfocus.com/bid/74398

www.securitytracker.com/id/1032216

access.redhat.com/security/cve/cve-2015-3152

github.com/mysql/mysql-server/commit/3bd5589e1a5a93f9c224badf983cd65c45215390

jira.mariadb.org/browse/MDEV-7937

www.duosecurity.com/blog/backronym-mysql-vulnerability

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

5.5 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

54.2%

JSON

Related for NVD:CVE-2015-3152