CVE-2012-5627
published 2013-10-01CVE-2012-5627: Oracle MySQL and MariaDB 5.5.x before 5.5.29, 5.3.x before 5.3.12, and 5.2.x before 5.2.14 does not modify the salt during multiple executions of the…
PriorityP430medium4CVSS 2.0
AVNACLAuSCPINAN
EXPLOIT
EPSS
11.41%
95.5th percentile
Oracle MySQL and MariaDB 5.5.x before 5.5.29, 5.3.x before 5.3.12, and 5.2.x before 5.2.14 does not modify the salt during multiple executions of the change_user command within the same connection which makes it easier for remote authenticated users to conduct brute force password guessing attacks.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mariadb | mariadb | — | — |
| mariadb | mariadb | >= 5.2.0 < 5.2.14 | 5.2.14 |
| mariadb | mariadb | >= 5.3.0 < 5.3.12 | 5.3.12 |
| mariadb | mariadb | >= 5.5.0 < 5.5.29 | 5.5.29 |
| oracle | mysql | >= 5.5.0 < 5.5.29 | 5.5.29 |
CVSS provenance
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
osv4.0MEDIUM
vendor_redhat4.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
mysql: efficient password guessing attack using change_user()
vendor_redhat·2012-12-03·CVSS 4.0
CVE-2012-5627 [MEDIUM] mysql: efficient password guessing attack using change_user()
mysql: efficient password guessing attack using change_user()
Oracle MySQL and MariaDB 5.5.x before 5.5.29, 5.3.x before 5.3.12, and 5.2.x before 5.2.14 does not modify the salt during multiple executions of the change_user command within the same connection which makes it easier for remote authenticated users to conduct brute force password guessing attacks.
Statement: Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Package: mysql (Red Hat Enterprise Linux 5) - Will not fix
Package: mysql (Red Hat Enterprise Linux 6) - Will not fix
GHSA
GHSA-46h7-m4g6-26pp: Oracle MySQL and MariaDB 5
ghsa_unreviewed·2022-05-17
CVE-2012-5627 [MEDIUM] CWE-522 GHSA-46h7-m4g6-26pp: Oracle MySQL and MariaDB 5
Oracle MySQL and MariaDB 5.5.x before 5.5.29, 5.3.x before 5.3.12, and 5.2.x before 5.2.14 does not modify the salt during multiple executions of the change_user command within the same connection which makes it easier for remote authenticated users to conduct brute force password guessing attacks.
OSV
CVE-2012-5627: Oracle MySQL and MariaDB 5
osv·2013-10-01·CVSS 4.0
CVE-2012-5627 [MEDIUM] CVE-2012-5627: Oracle MySQL and MariaDB 5
Oracle MySQL and MariaDB 5.5.x before 5.5.29, 5.3.x before 5.3.12, and 5.2.x before 5.2.14 does not modify the salt during multiple executions of the change_user command within the same connection which makes it easier for remote authenticated users to conduct brute force password guessing attacks.
No detection rules found.
http://seclists.org/fulldisclosure/2012/Dec/58http://seclists.org/fulldisclosure/2012/Dec/83http://seclists.org/oss-sec/2012/q4/424http://secunia.com/advisories/53372http://security.gentoo.org/glsa/glsa-201308-06.xmlhttp://www.mandriva.com/security/advisories?name=MDVSA-2013:102https://bugzilla.redhat.com/show_bug.cgi?id=883719https://mariadb.atlassian.net/browse/MDEV-3915http://seclists.org/fulldisclosure/2012/Dec/58http://seclists.org/fulldisclosure/2012/Dec/83http://seclists.org/oss-sec/2012/q4/424http://secunia.com/advisories/53372http://security.gentoo.org/glsa/glsa-201308-06.xmlhttp://www.mandriva.com/security/advisories?name=MDVSA-2013:102https://bugzilla.redhat.com/show_bug.cgi?id=883719https://mariadb.atlassian.net/browse/MDEV-3915
2013-10-01
Published