CVE-2015-8838

moderate-risk

Published 2016-05-16

ext/mysqlnd/mysqlnd.c in PHP before 5.4.43, 5.5.x before 5.5.27, and 5.6.x before 5.6.11 uses a client SSL option to mean that SSL is optional, which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, a related issue to CVE-2015-3152.

Do I need to act?

-

0.66% chance of exploitation

EPSS score — low exploit probability

-

Not on CISA KEV list

No confirmed active exploitation reported to CISA

?

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

5

CVSS 5.9/10 Medium

NETWORK / HIGH complexity

Affected Products (20)

Php

Php

Php

Php

Php

Php

Php

Php

Php

Php

Php

Php

Php

Php

Php

Php

Php

Php

Php

Php

Affected Vendors

Php

References (18)

http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=97aa752fee61fccdec361279adbfb17...

http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00052.html

http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00056.html

http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00057.html

http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00058.html

http://php.net/ChangeLog-5.php

http://www.ubuntu.com/usn/USN-2952-1

http://www.ubuntu.com/usn/USN-2952-2

https://bugs.php.net/bug.php?id=69669

http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=97aa752fee61fccdec361279adbfb17...

http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00052.html

http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00056.html

http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00057.html

http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00058.html

http://php.net/ChangeLog-5.php

http://www.ubuntu.com/usn/USN-2952-1

http://www.ubuntu.com/usn/USN-2952-2

https://bugs.php.net/bug.php?id=69669

47

/ 100

moderate-risk

Severity 18/34 · Moderate

Exploitability 2/34 · Minimal

Exposure 27/34 · High