Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5.9
CVSSv3

CVE-2017-10789

Published: 01/07/2017 Updated: 03/10/2019
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 5.9 | Impact Score: 3.6 | Exploitability Score: 2.2
VMScore: 383
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
Subscribe to Dbd-mysql Project

Vulnerability Summary

The DBD::mysql module up to and including 4.043 for Perl uses the mysql_ssl=1 setting to mean that SSL is optional (even though this setting's documentation has a "your communication with the server will be encrypted" statement), which allows man-in-the-middle malicious users to spoof servers via a cleartext-downgrade attack, a related issue to CVE-2015-3152.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

dbd-mysql project dbd-mysql

Vendor Advisories

Debian CVElist Bug Report Logs: libdbd-mysql-perl: CVE-2017-10788
Debian Bug report logs - #866818 libdbd-mysql-perl: CVE-2017-10788 Package: src:libdbd-mysql-perl; Maintainer for src:libdbd-mysql-perl is Debian Perl Group <pkg-perl-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sun, 2 Jul 2017 07:18:04 UTC Severity: important Tag ...
Debian CVElist Bug Report Logs: libdbd-mysql-perl: CVE-2017-10789
Debian Bug report logs - #866821 libdbd-mysql-perl: CVE-2017-10789 Package: src:libdbd-mysql-perl; Maintainer for src:libdbd-mysql-perl is Debian Perl Group <pkg-perl-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sun, 2 Jul 2017 07:33:05 UTC Severity: important Tag ...
Red Hat: CVE-2017-10789
The DBD::mysql module through 4043 for Perl uses the mysql_ssl=1 setting to mean that SSL is optional (even though this setting's documentation has a "your communication with the server will be encrypted" statement), which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, a related issue to CVE-2015-3152 ...

Recent Articles

Perl devs solve ancient Riddle: 'What's a vuln we caught from Oracle?'
The Register • Richard Chirgwin • 06 Jul 2017

BACKRONYM also fixed, so pull the patch

The Perl 5 database interface maintainers have issued an important patch for DBD—MySQL: in some configurations it wasn't enforcing encryption. As CVE-2017-10789 explains: “The DBD::mysql module through 4.043 for Perl uses the mysql_ssl=1 setting to mean that SSL is optional (even though this setting's documentation has a 'your communication with the server will be encrypted' statement), which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, a related issu...

Read more...

References

NVD-CWE-noinfohttps://github.com/perl5-dbi/DBD-mysql/pull/114https://github.com/perl5-dbi/DBD-mysql/issues/110http://www.securityfocus.com/bid/99364https://github.com/perl5-dbi/DBD-mysql/issues/140https://nvd.nist.govhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866818https://access.redhat.com/security/cve/cve-2017-10789
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2006-4304CVE-2024-4240arbitrary CVE-2024-31601XSSCVE-2023-20198CVE-2024-4256CVE-2024-3342encryption
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook