CVE-2007-5934

Severity Score

7.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The LOB functionality in PEAR MDB2 before 2.5.0a1 interprets a request to store a URL string as a request to retrieve and store the contents of the URL, which might allow remote attackers to use MDB2 as an indirect proxy or obtain sensitive information via a URL into a form field in an MDB2 application, as demonstrated by a file:// URL or a URL for an intranet web site.

La funcionalidad LOB en PEAR MDB2 anterior a 2.5.0a1 interpreta una respuesta para almacenar una cadena que contiene una URL, lo cual podría permitir a atacantes remotos utilziar MDB2 como un proxy indirecto o obtener información sensible a través de una URL dentro del campo form en una aplicaicón MDB2, como se demostró por file:// URL o una URL para un sitio web intranet.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2007-11-13 CVE Reserved
2007-11-13 CVE Published
2024-08-07 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CAPEC

References (12)

URL	Tag	Source
http://bugs.gentoo.org/show_bug.cgi?id=198446	X_refsource_confirm
http://marc.info/?l=pear-cvs&m=117823082829114&w=2	Mailing List
http://osvdb.org/42107	Vdb Entry
http://pear.php.net/bugs/bug.php?id=10024	X_refsource_confirm
http://pear.php.net/package/MDB2/download/2.5.0a1	X_refsource_confirm
http://secunia.com/advisories/27572	Third Party Advisory
http://secunia.com/advisories/27626	Third Party Advisory
http://secunia.com/advisories/27983	Third Party Advisory
http://www.securityfocus.com/bid/26382	Vdb Entry
http://www.vupen.com/english/advisories/2007/3806	Vdb Entry

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
http://security.gentoo.org/glsa/glsa-200712-05.xml	2011-03-08
https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00434.html	2011-03-08

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Pear Search vendor "Pear"		Structures Datagrid Datasource Mdb2 Search vendor "Pear" for product "Structures Datagrid Datasource Mdb2"				<= 2.5.0 Search vendor "Pear" for product "Structures Datagrid Datasource Mdb2" and version " <= 2.5.0"		-		Affected