Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2012-5615 — Sensitive Information Exposure in Mariadb

CWE-200 — Sensitive Information Exposure CWE-209 — Information Exposure via Error Message8 documents7 sources

Severity

5.0MEDIUMNVD

EPSS

20.7%

top 4.40%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Mariadb Oracle Mysql

Timeline

PublishedDec 3

Latest updateMay 17

Description

Oracle MySQL 5.5.38 and earlier, 5.6.19 and earlier, and MariaDB 5.5.28a, 5.3.11, 5.2.13, 5.1.66, and possibly other versions, generates different error messages with different time delays depending on whether a user name exists, which allows remote attackers to enumerate valid usernames.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages2 packages

▶NVDoracle/mysql5.5.19

▶NVDmariadb/mariadb4 versions+3

🔴Vulnerability Details

GHSA

GHSA-7ccw-fmfw-7xm6: Oracle MySQL 5↗2022-05-17

▶

OSV

CVE-2012-5615: Oracle MySQL 5↗2012-12-03

▶

💥Exploits & PoCs

Exploit-DB

MySQL - Remote User Enumeration↗2012-12-02

▶

Exploit-DB

MySQL 5.1/5.5 (Windows) - 'MySQLJackpot' Remote Command Execution↗2012-12-02

▶

📋Vendor Advisories

Ubuntu

MySQL vulnerabilities↗2014-10-15

▶

Red Hat

mysql: Remote Preauth User Enumeration flaw↗2012-12-01

▶

💬Community

Bugzilla

CVE-2012-5615 mysql: Remote Preauth User Enumeration flaw↗2012-12-02

▶