cbcvebase.
CVE-2012-2122
published 2012-06-26

CVE-2012-2122: sql/password.c in Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.24, and 5.6.x before 5.6.6, and MariaDB 5.1.x before 5.1.62, 5.2.x before 5.2.12, 5.3.x…

PriorityP268medium5.1CVSS 2.0
AVNACHAuNCPIPAP
EXPLOIT
EPSS
96.19%
99.9th percentile
sql/password.c in Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.24, and 5.6.x before 5.6.6, and MariaDB 5.1.x before 5.1.62, 5.2.x before 5.2.12, 5.3.x before 5.3.6, and 5.5.x before 5.5.23, when running in certain environments with certain implementations of the memcmp function, allows remote attackers to bypass authentication by repeatedly authenticating with the same incorrect password, which eventually causes a token comparison to succeed due to an improperly-checked return value.

Affected

60 ranges· showing 25
VendorProductVersion rangeFixed in
mariadbmariadb
mariadbmariadb
mariadbmariadb
mariadbmariadb
mariadbmariadb
mariadbmariadb
mariadbmariadb
mariadbmariadb
mariadbmariadb
mariadbmariadb
mariadbmariadb
mariadbmariadb
mariadbmariadb
mariadbmariadb
mariadbmariadb
mariadbmariadb
mariadbmariadb
mariadbmariadb
mariadbmariadb
mariadbmariadb
mariadbmariadb
mariadbmariadb
mariadbmariadb
mariadbmariadb
mariadbmariadb

Detection & IOCsextracted from sources · hover to see the quote

port3306
commandfor (let i = 1; i <= 1001; i++) { const connected = client.ExecuteQuery(Host, Port, User, Pass, Query); }
  • The attack works by repeatedly authenticating with the same incorrect password in a loop (up to ~1000+ attempts); detection should look for a high volume of failed MySQL authentication attempts from a single source IP followed by a successful login.
  • The vulnerability is in sql/password.c check_scramble() — monitor for successful MySQL logins immediately following a burst of authentication failures from the same client, especially on port 3306.
  • The exploit loops up to 1001 authentication attempts with a known-wrong password ('wrong' or 'blah'); a Snort/Suricata rule counting MySQL handshake attempts exceeding a threshold from one source within a short window would detect this.
  • The glibc x86_64 SSE4 optimized memcmp() is the specific implementation that triggers the bug; affected systems are those running recent glibc on x86_64 where MySQL calls the system memcmp() rather than a gcc builtin.
  • Use the Nuclei template matcher condition 'success == true' after iterating up to 1001 login attempts with a wrong password against MySQL port 3306 to confirm exploitability.
  • ·The vulnerability only triggers on systems where the system memcmp() implementation can return values outside the -255..255 range; Red Hat Enterprise Linux 4, 5, and 6 MySQL packages are NOT affected because they use a gcc builtin for check_scramble() rather than the glibc SSE4 memcmp().
  • ·The bug has existed in the MySQL code base since version 4.x but only manifests as exploitable when paired with a memcmp() implementation returning values outside the -255..255 range (e.g., glibc x86_64 SSE4 on Fedora/recent distros).
  • ·The Nuclei template requires the pre-condition isPortOpen(Host, Port) on port 3306 before attempting the brute-force authentication loop; max-request is set to 1 at the template level but the JS code loops up to 1001 times internally.

CVSS provenance

nvdv2.05.1MEDIUMAV:N/AC:H/Au:N/C:P/I:P/A:P
vendor_redhat5.1MEDIUM
vendor_ubuntu5.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.