CVE-2015-3152

Advisory lineage Upstream: 0 Downstream: 12

Downstream

DSA-3311-1 MGASA-2015-0279 OPENSUSE-SU-2024:10290-1 OPENSUSE-SU-2024:10344-1 OPENSUSE-SU-2024:11169-1 RHSA-2015:1646

Modified

Published: 16 May 2016, 10:00

Last modified:06 Aug 2024, 05:39

Vulnerability Summary

Overall Risk (default)

medium

42/100

CVSS Score

5.9 MEDIUM

v3.1 (nvd)

EPSS Score

39.69% HIGH

40% probability -12.56%

KEV

Not listed

Ransomware

No reports

Public exploits

1 found

Dark Web

Not detected

Timeline

16 May 2016, 10:00

Published

Vulnerability first disclosed

06 Aug 2024, 05:39

Last Modified

Vulnerability information updated

Description

Oracle MySQL before 5.7.3, Oracle MySQL Connector/C (aka libmysqlclient) before 6.1.3, and MariaDB before 5.5.44 use the --ssl option to mean that SSL is optional, which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, aka a "BACKRONYM" attack.

CVSS Metrics

v3.1•MEDIUM•Score: 5.9CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
v2.0•MEDIUM•Score: 4.3AV:N/AC:M/Au:N/C:N/I:P/A:N

EPSS Trends

Current EPSS score: 39.69%• Percentile: 97%

Techniques & Countermeasures

CWE-295•Improper Certificate Validation
The product does not validate, or incorrectly validates, a certificate.

Affected Systems

debian•debian_linux
8.0
fedoraproject•fedora
21 | 22
mariadb•mariadb
≥ 5.5.0, < 5.5.44 | ≥ 10.0.0, < 10.0.20
oracle•mysql
≤ 5.7.2
oracle•mysql_connector\/c
≤ 6.1.2
Unknown•PHP
≥ 5.4.0, < 5.4.43 | ≥ 5.5.0, < 5.5.27 | ≥ 5.6.0, < 5.6.11
redhat•enterprise_linux_desktop
7.0
redhat•enterprise_linux_eus
7.1 | 7.2 | 7.3 | 7.4 | 7.5 | 7.6 | 7.7
redhat•enterprise_linux_server
7.0
redhat•enterprise_linux_server_aus
7.3 | 7.4 | 7.6 | 7.7
redhat•enterprise_linux_server_tus
7.3 | 7.6 | 7.7
redhat•enterprise_linux_workstation
7.0