{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-07-01T00:00:00", "descriptions": [{"lang": "en", "value": "The DBD::mysql module through 4.043 for Perl uses the mysql_ssl=1 setting to mean that SSL is optional (even though this setting's documentation has a \"your communication with the server will be encrypted\" statement), which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, a related issue to CVE-2015-3152."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-01-17T19:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "99364", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/99364"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/perl5-dbi/DBD-mysql/issues/140"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/perl5-dbi/DBD-mysql/pull/114"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/perl5-dbi/DBD-mysql/issues/110"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-10789", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The DBD::mysql module through 4.043 for Perl uses the mysql_ssl=1 setting to mean that SSL is optional (even though this setting's documentation has a \"your communication with the server will be encrypted\" statement), which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, a related issue to CVE-2015-3152."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "99364", "refsource": "BID", "url": "http://www.securityfocus.com/bid/99364"}, {"name": "https://github.com/perl5-dbi/DBD-mysql/issues/140", "refsource": "MISC", "url": "https://github.com/perl5-dbi/DBD-mysql/issues/140"}, {"name": "https://github.com/perl5-dbi/DBD-mysql/pull/114", "refsource": "MISC", "url": "https://github.com/perl5-dbi/DBD-mysql/pull/114"}, {"name": "https://github.com/perl5-dbi/DBD-mysql/issues/110", "refsource": "MISC", "url": "https://github.com/perl5-dbi/DBD-mysql/issues/110"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T17:50:12.094Z"}, "title": "CVE Program Container", "references": [{"name": "99364", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/99364"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/perl5-dbi/DBD-mysql/issues/140"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/perl5-dbi/DBD-mysql/pull/114"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/perl5-dbi/DBD-mysql/issues/110"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-10789", "datePublished": "2017-07-01T18:00:00", "dateReserved": "2017-07-01T00:00:00", "dateUpdated": "2024-08-05T17:50:12.094Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dbd-mysql_project:dbd-mysql:*:*:*:*:*:*:*:*", "matchCriteriaId": "B381B18D-5C6F-4805-ABE8-7C07E39EC1F2", "versionEndIncluding": "4.043", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The DBD::mysql module through 4.043 for Perl uses the mysql_ssl=1 setting to mean that SSL is optional (even though this setting's documentation has a \"your communication with the server will be encrypted\" statement), which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, a related issue to CVE-2015-3152."}, {"lang": "es", "value": "El m\u00f3dulo DBD::mysql hasta la versi\u00f3n 4.043 para Perl, usa la configuraci\u00f3n mysql_ssl=1 para definir que SSL es opcional (aunque la documentaci\u00f3n de esta configuraci\u00f3n tiene una instrucci\u00f3n \"your communication with the server will be encrypted\"), lo que permite a atacantes de tipo man-in-the-middle suplantar servidores por medio de un ataque de degradaci\u00f3n de texto sin cifrar, un problema relacionado con el CVE-2015-3152."}], "id": "CVE-2017-10789", "lastModified": "2019-10-03T00:03:26.223", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-07-01T18:29:00.237", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/99364"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/perl5-dbi/DBD-mysql/issues/110"}, {"source": "cve@mitre.org", "url": "https://github.com/perl5-dbi/DBD-mysql/issues/140"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/perl5-dbi/DBD-mysql/pull/114"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "perl-DBD-MySQL: Possible MITM attack when mysql_ssl=1", "id": "1467606", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1467606"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.8", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "status": "draft"}, "cwe": "CWE-300", "details": ["The DBD::mysql module through 4.043 for Perl uses the mysql_ssl=1 setting to mean that SSL is optional (even though this setting's documentation has a \"your communication with the server will be encrypted\" statement), which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, a related issue to CVE-2015-3152."], "name": "CVE-2017-10789", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Will not fix", "package_name": "perl-DBD-MySQL", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Will not fix", "package_name": "perl-DBD-MySQL", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "perl-DBD-MySQL", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:2", "fix_state": "Will not fix", "package_name": "rh-perl520-perl-DBD-MySQL", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:2", "fix_state": "Will not fix", "package_name": "rh-perl524-perl-DBD-MySQL", "product_name": "Red Hat Software Collections"}], "public_date": "2017-07-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2017-10789\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-10789"], "statement": "Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", "threat_severity": "Moderate"}