CVE-2006-5559

The Execute method in the ADODB.Connection 2.7 and 2.8 ActiveX control objects (ADODB.Connection.2.7 and ADODB.Connection.2.8) in the Microsoft Data Access Components (MDAC) 2.5 SP3, 2.7 SP1, 2.8, and 2.8 SP1 does not properly track freed memory when the second argument is a BSTR, which allows remote attackers to cause a denial of service (Internet Explorer crash) and possibly execute arbitrary code via certain strings in the second and third arguments.

Published: Oct 27, 2006
Updated: Apr 13, 2023
CVE: CVE-2006-5559
Severity: High
Exploit:

CVSS v2:

Severity: High
Score: 9.3
AV:N/AC:M/Au:N/C:C/I:C/A:C

CWEs:

CWE-20

Affected Software
References

Software	From	Fixed in
microsoft / data_access_components	2.5-sp3	2.5-sp3.x
microsoft / data_access_components	2.8-sp1	2.8-sp1.x
microsoft / data_access_components	2.8	2.8.x
microsoft / data_access_components	2.7-sp1	2.7-sp1.x

http://blogs.technet.com/msrc/archive/2006/10/27/adodb-connection-poc-published.aspx
http://research.eeye.com/html/alerts/zeroday/20061027.html
http://secunia.com/advisories/22452
http://securitytracker.com/id?1017127
http://www.kb.cert.org/vuls/id/589272
http://www.osvdb.org/31882
http://www.securityfocus.com/bid/20704
http://www.us-cert.gov/cas/techalerts/TA07-044A.html
http://www.vupen.com/english/advisories/2007/0578
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-009
https://exchange.xforce.ibmcloud.com/vulnerabilities/29837
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A214

Vulnerability Database

289,784

CVE-2006-5559