Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2006-5559

CWE-20 — Improper Input Validation5 documents5 sources

Severity

9.3CRITICAL

EPSS

72.6%

top 1.23%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Microsoft Data Access Components

Timeline

PublishedOct 27

Latest updateMay 1

Description

The Execute method in the ADODB.Connection 2.7 and 2.8 ActiveX control objects (ADODB.Connection.2.7 and ADODB.Connection.2.8) in the Microsoft Data Access Components (MDAC) 2.5 SP3, 2.7 SP1, 2.8, and 2.8 SP1 does not properly track freed memory when the second argument is a BSTR, which allows remote attackers to cause a denial of service (Internet Explorer crash) and possibly execute arbitrary code via certain strings in the second and third arguments.

CVSS vector

AV:N/AC:M/C:C/I:C/A:CExploitability: 8.6 | Impact: 10.0

Affected Packages1 packages

▶NVDmicrosoft/data_access_components2.5, 2.7, 2.8+2

Patches

Patch: research.eeye.com ↗Patch: securitytracker.com ↗Patch: www.kb.cert.org ↗

🔴Vulnerability Details

GHSA

GHSA-662x-vqg2-x4mr: The Execute method in the ADODB↗2022-05-01

▶

CVEList

CVE-2006-5559: The Execute method in the ADODB↗2006-10-27

▶

VulnCheck

Microsoft Windows Improper Input Validation↗2006

▶

💥Exploits & PoCs

Exploit-DB

Microsoft Internet Explorer - ADODB Execute Denial of Service (PoC)↗2006-10-24

▶