CVE-2012-5627

Oracle MySQL and MariaDB 5.5.x before 5.5.29, 5.3.x before 5.3.12, and 5.2.x before 5.2.14 does not modify the salt during multiple executions of the change_user command within the same connection which makes it easier for remote authenticated users to conduct brute force password guessing attacks.

CVSS v2.0 4.0 MEDIUM

4.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://seclists.org/fulldisclosure/2012/Dec/58	Exploit Mailing List Third Party Advisory
http://seclists.org/fulldisclosure/2012/Dec/83	Exploit Mailing List Third Party Advisory
http://seclists.org/oss-sec/2012/q4/424	Mailing List Third Party Advisory
http://secunia.com/advisories/53372	Not Applicable
http://security.gentoo.org/glsa/glsa-201308-06.xml	Patch Third Party Advisory VDB Entry
http://www.mandriva.com/security/advisories?name=MDVSA-2013:102	Broken Link
https://bugzilla.redhat.com/show_bug.cgi?id=883719	Issue Tracking Patch Third Party Advisory
https://mariadb.atlassian.net/browse/MDEV-3915	Broken Link Vendor Advisory
http://seclists.org/fulldisclosure/2012/Dec/58	Exploit Mailing List Third Party Advisory
http://seclists.org/fulldisclosure/2012/Dec/83	Exploit Mailing List Third Party Advisory
http://seclists.org/oss-sec/2012/q4/424	Mailing List Third Party Advisory
http://secunia.com/advisories/53372	Not Applicable
http://security.gentoo.org/glsa/glsa-201308-06.xml	Patch Third Party Advisory VDB Entry
http://www.mandriva.com/security/advisories?name=MDVSA-2013:102	Broken Link
https://bugzilla.redhat.com/show_bug.cgi?id=883719	Issue Tracking Patch Third Party Advisory
https://mariadb.atlassian.net/browse/MDEV-3915	Broken Link Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:a:mariadb:mariadb::::::::
	cpe:2.3:a:mariadb:mariadb::::::::
	cpe:2.3:a:mariadb:mariadb::::::::
	cpe:2.3:a:mariadb:mariadb:10.0.0:::::::*

History

21 Nov 2024, 01:45

Type	Values Removed	Values Added
References	~~() http://seclists.org/fulldisclosure/2012/Dec/58 - Exploit, Mailing List, Third Party Advisory~~	() http://seclists.org/fulldisclosure/2012/Dec/58 - Exploit, Mailing List, Third Party Advisory
References	~~() http://seclists.org/fulldisclosure/2012/Dec/83 - Exploit, Mailing List, Third Party Advisory~~	() http://seclists.org/fulldisclosure/2012/Dec/83 - Exploit, Mailing List, Third Party Advisory
References	~~() http://seclists.org/oss-sec/2012/q4/424 - Mailing List, Third Party Advisory~~	() http://seclists.org/oss-sec/2012/q4/424 - Mailing List, Third Party Advisory
References	~~() http://secunia.com/advisories/53372 - Not Applicable~~	() http://secunia.com/advisories/53372 - Not Applicable
References	~~() http://security.gentoo.org/glsa/glsa-201308-06.xml - Patch, Third Party Advisory, VDB Entry~~	() http://security.gentoo.org/glsa/glsa-201308-06.xml - Patch, Third Party Advisory, VDB Entry
References	~~() http://www.mandriva.com/security/advisories?name=MDVSA-2013:102 - Broken Link~~	() http://www.mandriva.com/security/advisories?name=MDVSA-2013:102 - Broken Link
References	~~() https://bugzilla.redhat.com/show_bug.cgi?id=883719 - Patch, Issue Tracking, Third Party Advisory~~	() https://bugzilla.redhat.com/show_bug.cgi?id=883719 - Issue Tracking, Patch, Third Party Advisory
References	~~() https://mariadb.atlassian.net/browse/MDEV-3915 - Broken Link, Vendor Advisory~~	() https://mariadb.atlassian.net/browse/MDEV-3915 - Broken Link, Vendor Advisory

18 May 2022, 15:56

Type	Values Removed	Values Added
CPE	cpe:2.3:a:mariadb:mariadb:5.3.7:::::::* cpe:2.3:a:mariadb:mariadb:5.2.7:::::::* cpe:2.3:a:mariadb:mariadb:5.5.24:::::::* cpe:2.3:a:mariadb:mariadb:5.2.5:::::::* cpe:2.3:a:mariadb:mariadb:5.3.3:::::::* cpe:2.3:a:mariadb:mariadb:5.2.8:::::::* cpe:2.3:a:mariadb:mariadb:5.3.9:::::::* cpe:2.3:a:mariadb:mariadb:5.3.11:::::::* cpe:2.3:a:mariadb:mariadb:5.3.10:::::::* cpe:2.3:a:mariadb:mariadb:5.5.25:::::::* cpe:2.3:a:mariadb:mariadb:5.2.1:::::::* cpe:2.3:a:mariadb:mariadb:5.5.20:::::::* cpe:2.3:a:mariadb:mariadb:5.2.3:::::::* cpe:2.3:a:mariadb:mariadb:5.5.27:::::::* cpe:2.3:a:mariadb:mariadb:5.5.23:::::::* cpe:2.3:a:mariadb:mariadb:5.5.21:::::::* cpe:2.3:a:mariadb:mariadb:5.2.6:::::::* cpe:2.3:a:mariadb:mariadb:5.3.0:::::::* cpe:2.3:a:mariadb:mariadb:5.5.28:::::::* cpe:2.3:a:mariadb:mariadb:5.3.8:::::::* cpe:2.3:a:mariadb:mariadb:5.3.1:::::::* cpe:2.3:a:mariadb:mariadb:5.3.5:::::::* cpe:2.3:a:mariadb:mariadb:5.2.12:::::::* cpe:2.3:a:mariadb:mariadb:5.3.2:::::::* cpe:2.3:a:mariadb:mariadb:5.2.9:::::::* cpe:2.3:a:mariadb:mariadb:5.3.6:::::::* cpe:2.3:a:mariadb:mariadb:5.2.2:::::::* cpe:2.3:a:mariadb:mariadb:5.2.13:::::::* cpe:2.3:a:mariadb:mariadb:5.5.22:::::::* cpe:2.3:a:mysql:mysql:::::::: cpe:2.3:a:mariadb:mariadb:5.2.0:::::::* cpe:2.3:a:mariadb:mariadb:5.3.4:::::::* cpe:2.3:a:mariadb:mariadb:5.2.11:::::::* cpe:2.3:a:mariadb:mariadb:5.2.4:::::::* cpe:2.3:a:mariadb:mariadb:5.2.10:::::::*	cpe:2.3:a:oracle:mysql:::::::: cpe:2.3:a:mariadb:mariadb::::::::
References	~~(CONFIRM) https://mariadb.atlassian.net/browse/MDEV-3915 - Vendor Advisory~~	(CONFIRM) https://mariadb.atlassian.net/browse/MDEV-3915 - Broken Link, Vendor Advisory
References	~~(FULLDISC) http://seclists.org/fulldisclosure/2012/Dec/83 - Mailing List, Third Party Advisory~~	(FULLDISC) http://seclists.org/fulldisclosure/2012/Dec/83 - Exploit, Mailing List, Third Party Advisory
CWE	~~CWE-255~~	CWE-522

Information

Published : 2013-10-01 17:55

Updated : 2024-11-21 01:45

NVD link : CVE-2012-5627

Mitre link : CVE-2012-5627

CVE.ORG link : CVE-2012-5627

JSON object : View

Products Affected

mariadb

mariadb

oracle

mysql

CWE

CWE-522

Insufficiently Protected Credentials

4.0 /10