CVE-2017-11509
Publication date 28 March 2018
Last updated 25 August 2025
Ubuntu priority
Description
An authenticated remote attacker can execute arbitrary code in Firebird SQL Server versions 2.5.7 and 3.0.2 by executing a malformed SQL statement.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| firebird2.5 | ||
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Ignored | |
| 14.04 LTS trusty | Ignored | |
| firebird3.0 | ||
| 18.04 LTS bionic | Ignored | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release |
Notes
msalvatore
"No official solution exists. However, Tenable believes that disabling external UDF libraries from being loaded mitigates this issue... edit the default configuration from UdfAccess=Restrict to UdfAccess=None." -- Marking as "ignored"
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
8.8 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |