CVE-2017-10789 - OpenCVE

The DBD::mysql module through 4.043 for Perl uses the mysql_ssl=1 setting to mean that SSL is optional (even though this setting's documentation has a "your communication with the server will be encrypted" statement), which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, a related issue to CVE-2015-3152.

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Dbd-mysql Project	Dbd-mysql

Configuration 1 [-]

cpe:2.3:a:dbd-mysql_project:dbd-mysql:*:*:*:*:*:*:*:*

References

Link	Resource
http://www.securityfocus.com/bid/99364	Third Party Advisory VDB Entry
https://github.com/perl5-dbi/DBD-mysql/issues/110	Third Party Advisory
https://github.com/perl5-dbi/DBD-mysql/issues/140
https://github.com/perl5-dbi/DBD-mysql/pull/114	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2017-07-01T18:00:00

Updated: 2018-01-17T19:57:01

Reserved: 2017-07-01T00:00:00

Link: CVE-2017-10789

JSON object: View

NVD Information

Status : Modified

Published: 2017-07-01T18:29:00.237

Modified: 2019-10-03T00:03:26.223

Link: CVE-2017-10789

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-07-01T00:00:00", "descriptions": [{"lang": "en", "value": "The DBD::mysql module through 4.043 for Perl uses the mysql_ssl=1 setting to mean that SSL is optional (even though this setting's documentation has a \"your communication with the server will be encrypted\" statement), which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, a related issue to CVE-2015-3152."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-01-17T19:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "99364", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/99364"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/perl5-dbi/DBD-mysql/issues/140"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/perl5-dbi/DBD-mysql/pull/114"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/perl5-dbi/DBD-mysql/issues/110"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-10789", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The DBD::mysql module through 4.043 for Perl uses the mysql_ssl=1 setting to mean that SSL is optional (even though this setting's documentation has a \"your communication with the server will be encrypted\" statement), which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, a related issue to CVE-2015-3152."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "99364", "refsource": "BID", "url": "http://www.securityfocus.com/bid/99364"}, {"name": "https://github.com/perl5-dbi/DBD-mysql/issues/140", "refsource": "MISC", "url": "https://github.com/perl5-dbi/DBD-mysql/issues/140"}, {"name": "https://github.com/perl5-dbi/DBD-mysql/pull/114", "refsource": "MISC", "url": "https://github.com/perl5-dbi/DBD-mysql/pull/114"}, {"name": "https://github.com/perl5-dbi/DBD-mysql/issues/110", "refsource": "MISC", "url": "https://github.com/perl5-dbi/DBD-mysql/issues/110"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-10789", "datePublished": "2017-07-01T18:00:00", "dateReserved": "2017-07-01T00:00:00", "dateUpdated": "2018-01-17T19:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dbd-mysql_project:dbd-mysql:*:*:*:*:*:*:*:*", "matchCriteriaId": "B381B18D-5C6F-4805-ABE8-7C07E39EC1F2", "versionEndIncluding": "4.043", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The DBD::mysql module through 4.043 for Perl uses the mysql_ssl=1 setting to mean that SSL is optional (even though this setting's documentation has a \"your communication with the server will be encrypted\" statement), which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, a related issue to CVE-2015-3152."}, {"lang": "es", "value": "El m\u00f3dulo DBD::mysql hasta la versi\u00f3n 4.043 para Perl, usa la configuraci\u00f3n mysql_ssl=1 para definir que SSL es opcional (aunque la documentaci\u00f3n de esta configuraci\u00f3n tiene una instrucci\u00f3n \"your communication with the server will be encrypted\"), lo que permite a atacantes de tipo man-in-the-middle suplantar servidores por medio de un ataque de degradaci\u00f3n de texto sin cifrar, un problema relacionado con el CVE-2015-3152."}], "id": "CVE-2017-10789", "lastModified": "2019-10-03T00:03:26.223", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-07-01T18:29:00.237", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/99364"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/perl5-dbi/DBD-mysql/issues/110"}, {"source": "cve@mitre.org", "url": "https://github.com/perl5-dbi/DBD-mysql/issues/140"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/perl5-dbi/DBD-mysql/pull/114"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}