Vulnerability Description
The DBD::mysql module through 4.043 for Perl uses the mysql_ssl=1 setting to mean that SSL is optional (even though this setting's documentation has a "your communication with the server will be encrypted" statement), which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, a related issue to CVE-2015-3152.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Dbd-Mysql Project | Dbd-Mysql | <= 4.043 |
References
- http://www.securityfocus.com/bid/99364Third Party AdvisoryVDB Entry
- https://github.com/perl5-dbi/DBD-mysql/issues/110Third Party Advisory
- https://github.com/perl5-dbi/DBD-mysql/issues/140
- https://github.com/perl5-dbi/DBD-mysql/pull/114Third Party Advisory
- http://www.securityfocus.com/bid/99364Third Party AdvisoryVDB Entry
- https://github.com/perl5-dbi/DBD-mysql/issues/110Third Party Advisory
- https://github.com/perl5-dbi/DBD-mysql/issues/140
- https://github.com/perl5-dbi/DBD-mysql/pull/114Third Party Advisory
FAQ
What is CVE-2017-10789?
CVE-2017-10789 is a vulnerability with a CVSS score of 5.9 (MEDIUM). The DBD::mysql module through 4.043 for Perl uses the mysql_ssl=1 setting to mean that SSL is optional (even though this setting's documentation has a "your communication with the server will be encry...
How severe is CVE-2017-10789?
CVE-2017-10789 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-10789?
Check the references section above for vendor advisories and patch information. Affected products include: Dbd-Mysql Project Dbd-Mysql.