Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2006-5559

The Execute method in the ADODB.Connection 2.7 and 2.8 ActiveX control objects (ADODB.Connection.2.7 and ADODB.Connection.2.8) in the Microsoft Data Access Components (MDAC) 2.5 SP3, 2.7 SP1, 2.8, and 2.8 SP1 does not properly track freed memory when the second argument is a BSTR, which allows remote attackers to cause a denial of service (Internet Explorer crash) and possibly execute arbitrary code via certain strings in the second and third arguments.

Published

2006-10-27T16:07:00.000

Last Modified

2025-04-09T00:30:58.490

Status

Deferred

Source

[email protected]

Severity

CVSSv2: 9.3 (HIGH)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:C/I:C/A:C

  • Access Vector: NETWORK
  • Access Complexity: MEDIUM
  • Authentication: NONE
  • Confidentiality Impact: COMPLETE
  • Integrity Impact: COMPLETE
  • Availability Impact: COMPLETE
Exploitability Score

8.6

Impact Score

10.0

Weaknesses
  • Type: Primary
    CWE-20
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Operating System microsoft windows_2000 * No
Application microsoft data_access_components 2.5 Yes
Operating System microsoft windows_xp * No
Application microsoft data_access_components 2.8 Yes
Operating System microsoft windows_2003_server * No
Operating System microsoft windows_2003_server itanium No
Application microsoft data_access_components 2.8 Yes
Operating System microsoft windows_2000 * No
Application microsoft data_access_components 2.7 Yes
Operating System microsoft windows_2000 * No
Application microsoft data_access_components 2.8 Yes
Operating System microsoft windows_2000 * No
Application microsoft data_access_components 2.8 Yes
References