|Description||An authenticated remote attacker can execute arbitrary code in Firebird SQL Server versions 2.5.7 and 3.0.2 by executing a malformed SQL statement.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)|
|NVD severity||high (attack range: remote)|
Vulnerable and fixed packages
The table below lists information on source packages.
|firebird2.5 (PTS)||jessie (security), jessie||220.127.116.11778.ds4-5+deb8u1||vulnerable|
The information below is based on the following data on fixed versions.
[stretch] - firebird3.0 <postponed> (Minor issue, can be fixed along in a future update)
[jessie] - firebird2.5 <no-dsa> (Minor issue, can be fixed along in a future update)
Firebird upstream responded to Tenable the issue is not intended to be addressed
in "any current release".
Issue adressed by disabling UDFs in firebird.conf, this is not a source code fix,
and might actually be considered more justof a mitigation.
Steps to reproduce (partly) in: https://firstname.lastname@example.org