CVE-2012-5615

Oracle MySQL 5.5.38 and earlier, 5.6.19 and earlier, and MariaDB 5.5.28a, 5.3.11, 5.2.13, 5.1.66, and possibly other versions, generates different error messages with different time delays depending on whether a user name exists, which allows remote attackers to enumerate valid usernames.

CVSS v2.0 5.0 MEDIUM

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00000.html
http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00016.html
http://seclists.org/fulldisclosure/2012/Dec/9
http://secunia.com/advisories/53372
http://security.gentoo.org/glsa/glsa-201308-06.xml
http://www.mandriva.com/security/advisories?name=MDVSA-2013:102
http://www.openwall.com/lists/oss-security/2012/12/02/3
http://www.openwall.com/lists/oss-security/2012/12/02/4
http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
https://mariadb.atlassian.net/browse/MDEV-3909

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:mariadb:mariadb:5.1.66:::::::*
	cpe:2.3:a:mariadb:mariadb:5.2.13:::::::*
	cpe:2.3:a:mariadb:mariadb:5.3.11:::::::*
	cpe:2.3:a:mariadb:mariadb:5.5.28a:::::::*
	cpe:2.3:a:oracle:mysql:5.5.19:::::::*

History

No history.

Information

Published : 2012-12-03 12:49

Updated : 2024-02-04 18:16

NVD link : CVE-2012-5615

Mitre link : CVE-2012-5615

CVE.ORG link : CVE-2012-5615

JSON object : View

Products Affected

oracle

mysql

mariadb

mariadb

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2012-5615", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2012-12-03T12:49:43.830", "references": [{"url": "http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00000.html", "source": "secalert@redhat.com"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00016.html", "source": "secalert@redhat.com"}, {"url": "http://seclists.org/fulldisclosure/2012/Dec/9", "source": "secalert@redhat.com"}, {"url": "http://secunia.com/advisories/53372", "source": "secalert@redhat.com"}, {"url": "http://security.gentoo.org/glsa/glsa-201308-06.xml", "source": "secalert@redhat.com"}, {"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:102", "source": "secalert@redhat.com"}, {"url": "http://www.openwall.com/lists/oss-security/2012/12/02/3", "source": "secalert@redhat.com"}, {"url": "http://www.openwall.com/lists/oss-security/2012/12/02/4", "source": "secalert@redhat.com"}, {"url": "http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html", "source": "secalert@redhat.com"}, {"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html", "source": "secalert@redhat.com"}, {"url": "https://mariadb.atlassian.net/browse/MDEV-3909", "source": "secalert@redhat.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "Oracle MySQL 5.5.38 and earlier, 5.6.19 and earlier, and MariaDB 5.5.28a, 5.3.11, 5.2.13, 5.1.66, and possibly other versions, generates different error messages with different time delays depending on whether a user name exists, which allows remote attackers to enumerate valid usernames."}, {"lang": "es", "value": "MySQL v5.5.19 y posiblemente otras versiones, y MariaDB v5.5.28a, v5.3.11, v5.2.13, v5.1.66, y posiblemente con otras versiones, generan mensajes de error diferentes con retardos de tiempo diferentes dependiendo de si existe un nombre de usuario, lo que permite atacantes remotos para enumerar los nombres de usuario v\u00e1lidos."}], "lastModified": "2023-02-13T04:37:39.843", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mariadb:mariadb:5.1.66:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3CCF3D67-FAE6-43F4-B546-C7B46992251E"}, {"criteria": "cpe:2.3:a:mariadb:mariadb:5.2.13:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "62C9A610-F5D7-4DAF-BB63-F062FB48210B"}, {"criteria": "cpe:2.3:a:mariadb:mariadb:5.3.11:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DE70C2FA-7E45-4676-A15E-6D07BB97D937"}, {"criteria": "cpe:2.3:a:mariadb:mariadb:5.5.28a:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "46E32ACD-E034-4FD6-A54A-43AFDA1AA196"}, {"criteria": "cpe:2.3:a:oracle:mysql:5.5.19:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "77E105E9-FE65-4B75-9818-D3897294E941"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}