Description
The vio_verify_callback function in viosslfactories.c in MySQL 5.0.x before 5.0.88 and 5.1.x before 5.1.41, when OpenSSL is used, accepts a value of zero for the depth of X.509 certificates, which allows man-in-the-middle attackers to spoof arbitrary SSL-based MySQL servers via a crafted certificate, as demonstrated by a certificate presented by a server linked against the yaSSL library.
Analysis
Analysis and contextual insights are available on OpenCVE Cloud.
Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).
| Vendor | Product | Default status | Versions | ||||||
|---|---|---|---|---|---|---|---|---|---|
| n/a | n/a | affected |
|
Configuration 1 [-]
|
| Package | CPE | Advisory | Released Date |
|---|---|---|---|
| Red Hat Enterprise Linux 5 | |||
| mysql-0:5.0.77-4.el5_4.2 | cpe:/o:redhat:enterprise_linux:5 | RHSA-2010:0109 | 2010-02-16T00:00:00Z |
No data available yet.
Remediation
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
Advisories
| Source | ID | Title |
|---|---|---|
 EUVD |
EUVD-2009-3999 | The vio_verify_callback function in viosslfactories.c in MySQL 5.0.x before 5.0.88 and 5.1.x before 5.1.41, when OpenSSL is used, accepts a value of zero for the depth of X.509 certificates, which allows man-in-the-middle attackers to spoof arbitrary SSL-based MySQL servers via a crafted certificate, as demonstrated by a certificate presented by a server linked against the yaSSL library. |
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: redhat
Published:
Updated: 2024-08-07T06:45:50.954Z
Reserved: 2009-11-20T00:00:00.000Z
Link: CVE-2009-4028
Vulnrichment
No data.
NVD
Status : Modified
Published: 2009-11-30T17:30:00.327
Modified: 2026-04-23T00:35:47.467
Link: CVE-2009-4028
Redhat
OpenCVE Enrichment
No data.
Weaknesses