Home > Vulnerability Database > CVE-2015-3152

Mend.io Vulnerability Database

CVE-2015-3152

Good to know:

Date: May 16, 2016

Oracle MySQL before 5.7.3, Oracle MySQL Connector/C (aka libmysqlclient) before 6.1.3, and MariaDB before 5.5.44 use the --ssl option to mean that SSL is optional, which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, aka a "BACKRONYM" attack.

Language: C

Severity Score

5.9

Related Resources (19)

Url: http://www.ocert.org/advisories/ocert-2015-003.html

Url: http://www.debian.org/security/2015/dsa-3311

Url: http://rhn.redhat.com/errata/RHSA-2015-1665.html

Url: http://packetstormsecurity.com/files/131688/MySQL-SSL-TLS-Downgrade.html

Url: http://www.securitytracker.com/id/1032216

Url: http://www.securityfocus.com/bid/74398

Url: https://www.duosecurity.com/blog/backronym-mysql-vulnerability

Url: https://access.redhat.com/security/cve/CVE-2015-3152

Url: http://rhn.redhat.com/errata/RHSA-2015-1646.html

Url: http://mysqlblog.fivefarmers.com/2015/04/29/ssltls-in-5-6-and-5-5-ocert-advisory/

Url: https://nvd.nist.gov/vuln/detail/CVE-2015-3152

Url: http://www.securityfocus.com/archive/1/535397/100/1100/threaded

Url: http://lists.fedoraproject.org/pipermail/package-announce/2015-July/161625.html

Url: https://github.com/mysql/mysql-server/commit/3bd5589e1a5a93f9c224badf983cd65c45215390

Url: http://mysqlblog.fivefarmers.com/2014/04/02/redefining-ssl-option/

Url: https://jira.mariadb.org/browse/MDEV-7937

Url: http://rhn.redhat.com/errata/RHSA-2015-1647.html

Url: http://lists.fedoraproject.org/pipermail/package-announce/2015-July/161436.html

Url: https://www.mend.io/vulnerability-database/CVE-2015-3152

Severity Score

5.9

Weakness Type (CWE)

Improper Access Control

CWE-284

Improper Certificate Validation

CWE-295

Top Fix

Upgrade Version

Upgrade to version MySQL - 5.7.3;MySQL Connector/C - 6.1.3;MariaDB - 5.5.44

Learn More

CVSS v3.1

Base Score:	5.9
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	NONE

CVSS v2

Base Score:	4.3
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	NONE
Integrity (I):	PARTIAL
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2015-3152

Good to know:

Date: May 16, 2016

Language: C

Severity Score

Related Resources (19)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?