Veracode Vulnerability DatabaseVERACODE:16886Man-in-the-Middle (MitM)
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
mysql is vulnerable to man-in-the-middle attacks. The ssl_verify_server_cert function in sql-common/client.c does not properly verify the matching of the server hostname and the domain name in the subject’s Common Name (CN) or subjectAltName field of the X.509 certificate, allowing an attacker to spoof SSL servers via the /CN= field in a certificate.
References
lists.opensuse.org/opensuse-security-announce/2016-05/msg00035.html
lists.opensuse.org/opensuse-security-announce/2016-05/msg00053.html
lists.opensuse.org/opensuse-security-announce/2016-06/msg00033.html
lists.opensuse.org/opensuse-security-announce/2016-06/msg00034.html
lists.opensuse.org/opensuse-security-announce/2016-06/msg00051.html
lists.opensuse.org/opensuse-security-announce/2016-06/msg00053.html
rhn.redhat.com/errata/RHSA-2016-0534.html
rhn.redhat.com/errata/RHSA-2016-0705.html
rhn.redhat.com/errata/RHSA-2016-1480.html
rhn.redhat.com/errata/RHSA-2016-1481.html
www.debian.org/security/2016/dsa-3453
www.debian.org/security/2016/dsa-3557
www.openwall.com/lists/oss-security/2016/01/26/3
www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html#AppendixMSQL
www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixMSQL
www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html#AppendixMSQL
www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
www.securityfocus.com/bid/81810
www.securitytracker.com/id/1035606
www.ubuntu.com/usn/USN-2953-1
www.ubuntu.com/usn/USN-2954-1
access.redhat.com/errata/RHSA-2016:0705
access.redhat.com/errata/RHSA-2016:1132
access.redhat.com/security/cve/CVE-2016-3452
access.redhat.com/security/cve/CVE-2016-3471
access.redhat.com/security/cve/CVE-2016-5444
access.redhat.com/security/updates/classification/#critical
dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-27.html
dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-28.html
dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-29.html
dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-30.html
mariadb.atlassian.net/browse/MDEV-9212
mariadb.com/kb/en/mariadb/mariadb-10110-release-notes/
mariadb.com/kb/en/mariadb/mariadb-5547-release-notes/
mariadb.com/kb/en/mdb-10023-rn/
Related
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N