cbcvebase.
CVE-2012-5611
published 2012-12-03

CVE-2012-5611: Stack-based buffer overflow in the acl_get function in Oracle MySQL 5.5.19 and other versions through 5.5.28, and 5.1.53 and other versions through 5.1.66, and…

PriorityP351medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
24.56%
97.6th percentile
Stack-based buffer overflow in the acl_get function in Oracle MySQL 5.5.19 and other versions through 5.5.28, and 5.1.53 and other versions through 5.1.66, and MariaDB 5.5.2.x before 5.5.28a, 5.3.x before 5.3.11, 5.2.x before 5.2.13 and 5.1.x before 5.1.66, allows remote authenticated users to execute arbitrary code via a long argument to the GRANT FILE command.

Affected

46 ranges· showing 25
VendorProductVersion rangeFixed in
mariadbmariadb
mariadbmariadb
mariadbmariadb
mariadbmariadb
mariadbmariadb
mariadbmariadb
mariadbmariadb
mariadbmariadb
mariadbmariadb
mariadbmariadb
mariadbmariadb
mariadbmariadb
mariadbmariadb
mariadbmariadb
mariadbmariadb
mariadbmariadb
mariadbmariadb
mariadbmariadb
mariadbmariadb
mariadbmariadb
mariadbmariadb
mariadbmariadb
mariadbmariadb
mariadbmariadb
mariadbmariadb

Detection & IOCsextracted from sources · hover to see the quote

commandgrant file on <long_argument>.* to 'user'@'%' identified by 'secret';
commandGRANT FILE on <100000-byte argument>.*
  • Detect exploitation attempts by monitoring for extremely long (e.g., 100,000-byte) arguments passed to the MySQL GRANT FILE command, which triggers the stack-based buffer overflow in acl_get().
  • A successful exploit causes mysqld to crash with a segmentation fault (signal 11) and overwrites the instruction pointer with attacker-controlled data (e.g., 0x41414141); monitor for mysqld core dumps in /var/lib/mysql/.
  • The vulnerability is post-authentication; alert on authenticated MySQL sessions issuing GRANT FILE with abnormally long database-name arguments.
  • Successful exploitation yields OS-level code execution as the 'mysql' service account; correlate mysqld crashes with subsequent unexpected child processes owned by the mysql user.
  • ·The overflow is triggered via the GRANT FILE command specifically; the vulnerable code path is in the acl_get() function. Only authenticated database users can trigger this — no unauthenticated attack vector exists.
  • ·Affected versions span multiple MySQL and MariaDB branches; detections should cover MySQL 5.1.x through 5.1.66, 5.5.x through 5.5.28, and MariaDB 5.1.x/5.2.x/5.3.x/5.5.2.x prior to their respective patched releases.

CVSS provenance

nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vendor_redhat6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.