CVE-2017-10789

CVSS v3.1

5.9

Medium

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions DBD::mysql versions through 4.043

Description The issue allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack. This occurs because the mysql ssl=1 setting is used to mean that SSL is optional, despite the documentation stating that communication with the server will be encrypted.

Recommendations For DBD::mysql versions through 4.043, consider disabling the use of the mysql ssl=1 setting until a patch is available, and instead, enforce SSL encryption for all connections to prevent cleartext-downgrade attacks.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

ALT-PU-2018-1256

CVE-2017-10789

DLA-1079-1

MGASA-2018-0031

MGASA-2018-0283

OPENSUSE-SU-2018_1463-1

OPENSUSE-SU-2024:11160-1

SUSE-SU-2018:1449-1

SUSE-SU-2018:1450-1

USN-5344-1

USN-7417-1

Affected Products

Alt Linux

Dbd::Mysql

Suse

Ubuntu

CVE-2017-10789

Related Identifiers

Affected Products

References · 39