Vulnerability Description
sql/password.c in Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.24, and 5.6.x before 5.6.6, and MariaDB 5.1.x before 5.1.62, 5.2.x before 5.2.12, 5.3.x before 5.3.6, and 5.5.x before 5.5.23, when running in certain environments with certain implementations of the memcmp function, allows remote attackers to bypass authentication by repeatedly authenticating with the same incorrect password, which eventually causes a token comparison to succeed due to an improperly-checked return value.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Oracle | Mysql | 5.1.51 |
| Mariadb | Mariadb | 5.1.41 |
Related Weaknesses (CWE)
References
- http://bugs.mysql.com/bug.php?id=64884Exploit
- http://kb.askmonty.org/en/mariadb-5162-release-notes/
- http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00007.html
- http://seclists.org/oss-sec/2012/q2/493Patch
- http://secunia.com/advisories/49417Vendor Advisory
- http://secunia.com/advisories/53372
- http://security.gentoo.org/glsa/glsa-201308-06.xml
- http://securitytracker.com/id?1027143
- http://www.exploit-db.com/exploits/19092
- http://www.securityfocus.com/bid/53911Exploit
- https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-Exploit
- http://bugs.mysql.com/bug.php?id=64884Exploit
- http://kb.askmonty.org/en/mariadb-5162-release-notes/
- http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00007.html
- http://seclists.org/oss-sec/2012/q2/493Patch
FAQ
What is CVE-2012-2122?
CVE-2012-2122 is a vulnerability with a CVSS score of 5.1 (MEDIUM). sql/password.c in Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.24, and 5.6.x before 5.6.6, and MariaDB 5.1.x before 5.1.62, 5.2.x before 5.2.12, 5.3.x before 5.3.6, and 5.5.x before 5.5.23, when...
How severe is CVE-2012-2122?
CVE-2012-2122 has been rated MEDIUM with a CVSS base score of 5.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2012-2122?
Check the references section above for vendor advisories and patch information. Affected products include: Oracle Mysql, Mariadb Mariadb.