Vulnerability Details : CVE-2017-6369
Insufficient checks in the UDF subsystem in Firebird 2.5.x before 2.5.7 and 3.0.x before 3.0.2 allow remote authenticated users to execute code by using a 'system' entrypoint from fbudf.so.
Vulnerability category: Execute code
Products affected by CVE-2017-6369
- cpe:2.3:a:firebirdsql:firebird:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:firebirdsql:firebird:2.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:firebirdsql:firebird:2.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:firebirdsql:firebird:2.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:firebirdsql:firebird:2.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:firebirdsql:firebird:2.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:firebirdsql:firebird:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:firebirdsql:firebird:3.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-6369
0.55%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 75 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-6369
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST | |
8.8
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2017-6369
-
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-6369
-
http://www.securityfocus.com/bid/97070
Firebird CVE-2017-6369 Remote Code Execution VulnerabilityThird Party Advisory;VDB Entry
-
https://usn.ubuntu.com/3929-1/
USN-3929-1: Firebird vulnerabilities | Ubuntu security notices
-
http://www.debian.org/security/2017/dsa-3824
Debian -- Security Information -- DSA-3824-1 firebird2.5
-
http://tracker.firebirdsql.org/browse/CORE-5474
[#CORE-5474] 'Restrict UDF' is not effective, because fbudf.so is dynamically linked against libc - Firebird RDBMS Issue TrackerIssue Tracking;Vendor Advisory
Jump to