[Japanese]

JVNDB-2011-000086

DBD::mysqlPP vulnerable to SQL injection

Overview

DBD::mysqlPP contains a SQL injection vulnerability.

DBD::mysqlPP is a Perl module that provides a client interface for MySQL. DBD::mysqlPP contains a SQL injection vulnerability.

Toshiharu Sugiyama of UBsecure, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 6.8 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products


Hiroyuki Oyama
  • DBD::mysqlPP version 0.04 and earlier

Impact

An attacker may view or alter information stored in the database.
Solution

[Do not use DBD::mysqlPP]
According to the developer, "DBD::mysqlPP was developed as a joke program and designed for use in private situations or for understanding the MySQL communication protocol. For usages other than these stated, it is recommended to use DBD::mysql which is a library with the same API."

For more information on DBD::mysql, check the following:

DBD::mysql
http://search.cpan.org/dist/DBD-mysql/
Vendor Information

Hiroyuki Oyama
CWE (What is CWE?)

  1. SQL Injection(CWE-89) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2011-3989
References

  1. JVN : JVN#51216285
  2. National Vulnerability Database (NVD) : CVE-2011-3989
Revision History

  • [2011/10/14]
      Web page published

Date Public2011/10/14
Date First Published2011/10/14
Date Last Updated2011/10/14