CVE-2025-24975 (CNNVD-202508-1855)

HIGH
中文标题:
Firebird 代码问题漏洞
英文标题:
Firebird Non-Authorized Access to Encrypted Database Using Execute Statement on External
CVSS分数: 7.1
发布时间: 2025-08-15 15:11:29
漏洞类型: 代码问题
状态: PUBLISHED
数据质量分数: 0.30
数据版本: v3
漏洞描述
中文描述:

Firebird是Firebird基金会的一套开源跨平台的提供多个ANSI SQL-92功能的关系型数据库管理系统。 Firebird 4.0.6.3183之前版本、5.0.2.1610之前版本和6.0.0.609之前版本存在代码问题漏洞,该漏洞源于ExtConnPool连接验证不足可能导致分段违规。

英文描述:

Firebird is a relational database. Prior to snapshot versions 4.0.6.3183, 5.0.2.1610, and 6.0.0.609, Firebird is vulnerable if ExtConnPoolSize is not set equal to 0. If connections stored in ExtConnPool are not verified for presence and suitability of the CryptCallback interface is used when created versus what is available could result in a segfault in the server process. Encrypted databases, accessed by execute statement on external, may be accessed later by an attachment missing a key to that database. In a case when execute statement are chained, segfault may happen. Additionally, the segfault may affect unencrypted databases. This issue has been patched in snapshot versions 4.0.6.3183, 5.0.2.1610, and 6.0.0.609 and point releases 4.0.6 and 5.0.2. A workaround for this issue involves setting ExtConnPoolSize equal to 0 in firebird.conf.

CWE类型:
CWE-754
标签:
(暂无数据)
受影响产品
厂商 产品 版本 版本范围 平台 CPE
FirebirdSQL firebird < 6.0.0.609 - - cpe:2.3:a:firebirdsql:firebird:<_6.0.0.609:*:*:*:*:*:*:*
FirebirdSQL firebird < 5.0.2.1610 - - cpe:2.3:a:firebirdsql:firebird:<_5.0.2.1610:*:*:*:*:*:*:*
FirebirdSQL firebird < 4.0.6.3183 - - cpe:2.3:a:firebirdsql:firebird:<_4.0.6.3183:*:*:*:*:*:*:*
firebirdsql firebird * - - cpe:2.3:a:firebirdsql:firebird:*:*:*:*:*:*:*:*
解决方案
中文解决方案:
(暂无数据)
英文解决方案:
(暂无数据)
临时解决方案:
(暂无数据)
参考链接
https://github.com/FirebirdSQL/firebird/security/advisories/GHSA-fx9r-rj68-7p69 x_refsource_CONFIRM
cve.org
访问
https://github.com/FirebirdSQL/firebird/issues/8429 x_refsource_MISC
cve.org
访问
https://github.com/FirebirdSQL/firebird/commit/658abd20449f72097fbbce57e8e6ae42ff837fb6 x_refsource_MISC
cve.org
访问
af854a3a-2127-422b-91ae-364da2661108 OTHER
nvd.nist.gov
访问
af854a3a-2127-422b-91ae-364da2661108 OTHER
nvd.nist.gov
访问
CVSS评分详情
3.1 (cna)
HIGH
7.1
CVSS向量: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
机密性
HIGH
完整性
HIGH
可用性
LOW
时间信息
发布时间:
2025-08-15 15:11:29
修改时间:
2025-08-20 19:50:53
创建时间:
2025-11-11 15:40:15
更新时间:
2025-11-11 16:00:05
利用信息
暂无可利用代码信息
数据源详情
数据源 记录ID 版本 提取时间
CVE cve_CVE-2025-24975 2025-11-11 15:23:10 2025-11-11 07:40:15
NVD nvd_CVE-2025-24975 2025-11-11 15:00:59 2025-11-11 07:48:06
CNNVD cnnvd_CNNVD-202508-1855 2025-11-11 15:13:00 2025-11-11 08:00:05
版本与语言
当前版本: v3
主要语言: EN
支持语言:
EN ZH
安全公告
暂无安全公告信息
变更历史
v3 CNNVD
2025-11-11 16:00:05
vulnerability_type: 未提取 → 代码问题; cnnvd_id: 未提取 → CNNVD-202508-1855; data_sources: ['cve', 'nvd'] → ['cnnvd', 'cve', 'nvd']
查看详细变更
  • vulnerability_type: 未提取 -> 代码问题
  • cnnvd_id: 未提取 -> CNNVD-202508-1855
  • data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
v2 NVD
2025-11-11 15:48:06
affected_products_count: 3 → 4; references_count: 3 → 5; data_sources: ['cve'] → ['cve', 'nvd']
查看详细变更
  • affected_products_count: 3 -> 4
  • references_count: 3 -> 5
  • data_sources: ['cve'] -> ['cve', 'nvd']