CVE-2009-4028

Name: CVE-2009-4028
Creator: NVD / NIST
Published: 2009-11-30T17:30:00.327+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 1.77%

Last modified Jun 16, 2026

CVE-2009-4028 is a vulnerability of currently unknown severity. The vio_verify_callback function in viosslfactories.c in MySQL 5.0.x before 5.0.88 and 5.1.x before 5.1.41, when OpenSSL is used, accepts a value of zero for the depth of X.509 certificates, which allows man-in-the-middle attackers to spoof arbitrary SSL-based MySQL servers via a crafted certificate, as demonstrated by a certificate presented by a server linked against the yaSSL library.. EPSS estimates a 1.77% chance of exploitation in the next 30 days.

Description

The vio_verify_callback function in viosslfactories.c in MySQL 5.0.x before 5.0.88 and 5.1.x before 5.1.41, when OpenSSL is used, accepts a value of zero for the depth of X.509 certificates, which allows man-in-the-middle attackers to spoof arbitrary SSL-based MySQL servers via a crafted certificate, as demonstrated by a certificate presented by a server linked against the yaSSL library.

Metrics

EPSS Probability

1.77%

75.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-20

Affected Software

Vendor	Product	Versions	Update
Mysql	Mysql	<= 5.0.87	—
Mysql	Mysql	5.0.0	—
Mysql	Mysql	5.0.1	—
Mysql	Mysql	5.0.2	—
Mysql	Mysql	5.0.3	—
Mysql	Mysql	5.0.4	—
Mysql	Mysql	5.0.5	—
Mysql	Mysql	5.0.5.0.21	—
Mysql	Mysql	5.0.10	—
Mysql	Mysql	5.0.15	—
Mysql	Mysql	5.0.16	—
Mysql	Mysql	5.0.17	—
Mysql	Mysql	5.0.20	—
Mysql	Mysql	5.0.22.1.0.1	—
Mysql	Mysql	5.0.24	—
Mysql	Mysql	5.0.30	—
Mysql	Mysql	5.0.36	—
Mysql	Mysql	5.0.44	—
Mysql	Mysql	5.0.54	—
Mysql	Mysql	5.0.56	—
Mysql	Mysql	5.0.60	—
Mysql	Mysql	5.0.66	—
Mysql	Mysql	5.0.82	—
Mysql	Mysql	5.0.84	—
Mysql	Mysql	5.1.5	—
Mysql	Mysql	5.1.23	—
Mysql	Mysql	5.1.31	—
Mysql	Mysql	5.1.32	—
Mysql	Mysql	5.1.34	—
Mysql	Mysql	5.1.37	—
Oracle	Mysql	5.0.0	Alpha
Oracle	Mysql	5.0.3	Beta
Oracle	Mysql	5.0.6	—
Oracle	Mysql	5.0.7	—
Oracle	Mysql	5.0.8	—
Oracle	Mysql	5.0.11	—
Oracle	Mysql	5.0.12	—
Oracle	Mysql	5.0.13	—
Oracle	Mysql	5.0.14	—
Oracle	Mysql	5.0.18	—
Oracle	Mysql	5.0.19	—
Oracle	Mysql	5.0.21	—
Oracle	Mysql	5.0.22	—
Oracle	Mysql	5.0.23	—
Oracle	Mysql	5.0.25	—
Oracle	Mysql	5.0.26	—
Oracle	Mysql	5.0.27	—
Oracle	Mysql	5.0.30	Sp1
Oracle	Mysql	5.0.32	—
Oracle	Mysql	5.0.33	—

Showing 50 of 103 affected configurations. See NVD for the full list.

References

Timeline

Published: Nov 30, 2009
Last Modified: Jun 16, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2009-4028?

How severe is CVE-2009-4028?

Severity scoring for CVE-2009-4028 is pending analysis. The EPSS model estimates a 1.77% probability of exploitation in the next 30 days.

How do I fix CVE-2009-4028?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2009-4028?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST