Description

The vio_verify_callback function in viosslfactories.c in MySQL 5.0.x before 5.0.88 and 5.1.x before 5.1.41, when OpenSSL is used, accepts a value of zero for the depth of X.509 certificates, which allows man-in-the-middle attackers to spoof arbitrary SSL-based MySQL servers via a crafted certificate, as demonstrated by a certificate presented by a server linked against the yaSSL library.

Remediation

References

CVE-2009-4028

Related Vulnerabilities

Oracle JRE CVE-2012-3342 Vulnerability (CVE-2012-3342)

WordPress Plugin All-In-One Security (AIOS)-Security and Firewall Cross-Site Request Forgery (3.8.9)

e107 Other Vulnerability (CVE-2006-0682)

Oracle Database Server CVE-2008-1813 Vulnerability (CVE-2008-1813)

Oracle JRE CVE-2014-0452 Vulnerability (CVE-2014-0452)

Severity

Medium

Classification

CVE-2009-4028 CWE-20

Tags

Missing Update Known Vulnerabilities