CVE-2017-10789

Ubuntu Security Notice USN-7417-1

Severity Score

5.9

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The DBD::mysql module through 4.043 for Perl uses the mysql_ssl=1 setting to mean that SSL is optional (even though this setting's documentation has a "your communication with the server will be encrypted" statement), which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, a related issue to CVE-2015-3152.

El módulo DBD::mysql hasta la versión 4.043 para Perl, usa la configuración mysql_ssl=1 para definir que SSL es opcional (aunque la documentación de esta configuración tiene una instrucción "your communication with the server will be encrypted"), lo que permite a atacantes de tipo man-in-the-middle suplantar servidores por medio de un ataque de degradación de texto sin cifrar, un problema relacionado con el CVE-2015-3152.

It was discovered that libdbd-mysql-perl did not correctly handle certain SQL queries. An attacker could possibly use this issue to cause a denial of service. It was discovered that libdbd-mysql-perl did not correctly handle certain memory operations, which could lead to a use-after-free vulnerability. A remote attacker could possibly use this issue to cause a denial of service or execute arbitrary code.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-07-01 CVE Reserved
2017-07-01 CVE Published
2024-08-05 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (4)

URL	Tag	Source
http://www.securityfocus.com/bid/99364	Third Party Advisory
https://github.com/perl5-dbi/DBD-mysql/issues/110	Third Party Advisory
https://github.com/perl5-dbi/DBD-mysql/issues/140	X_refsource_misc
https://github.com/perl5-dbi/DBD-mysql/pull/114	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Dbd-mysql Project Search vendor "Dbd-mysql Project"		Dbd-mysql Search vendor "Dbd-mysql Project" for product "Dbd-mysql"				<= 4.043 Search vendor "Dbd-mysql Project" for product "Dbd-mysql" and version " <= 4.043"		-		Affected