CVE-2012-5627

Oracle MySQL and MariaDB 5.5.x before 5.5.29, 5.3.x before 5.3.12, and 5.2.x before 5.2.14 does not modify the salt during multiple executions of the change_user command within the same connection which makes it easier for remote authenticated users to conduct brute force password guessing attacks.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:S/C:P/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 88%
Affected Products (NVD)
VendorProductVersion
oraclemysql
5.5.0 ≤
𝑥
< 5.5.29
mariadbmariadb
5.2.0 ≤
𝑥
< 5.2.14
mariadbmariadb
5.3.0 ≤
𝑥
< 5.3.12
mariadbmariadb
5.5.0 ≤
𝑥
< 5.5.29
mariadbmariadb
10.0.0
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
mariadb-5.5
lucid
dne
precise
dne
trusty
dne
utopic
not-affected
vivid
dne
wily
dne
xenial
dne
yakkety
dne
mysql-5.5
hardy
dne
lucid
dne
oneiric
dne
precise
ignored
quantal
ignored
raring
ignored
saucy
ignored
trusty
ignored
utopic
ignored
vivid
dne
wily
dne
xenial
dne
yakkety
dne
mysql-5.6
lucid
dne
precise
dne
trusty
dne
utopic
ignored
vivid
ignored
wily
ignored
xenial
dne
yakkety
dne
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
libmariadbd104-devel
suse enterprise server 15 SP1
10.4.30-150100.3.5.10
fixed
libmariadbd19
suse enterprise server 15 SP1
10.4.30-150100.3.5.10
fixed
libmysqld-devel
suse enterprise sap 15
10.2.15-1.3
fixed
suse enterprise sap 15 SP1
10.2.22-3.14.1
fixed
suse enterprise server 15
10.2.15-1.3
fixed
suse enterprise server 15 SP1
10.2.22-3.14.1
fixed
libmysqld19
suse enterprise sap 15
10.2.15-1.3
fixed
suse enterprise sap 15 SP1
10.2.22-3.14.1
fixed
suse enterprise server 15
10.2.15-1.3
fixed
suse enterprise server 15 SP1
10.2.22-3.14.1
fixed
mariadb
suse enterprise sap 15
10.2.15-1.3
fixed
suse enterprise sap 15 SP1
10.2.22-3.14.1
fixed
suse enterprise server 15
10.2.15-1.3
fixed
suse enterprise server 15 SP1
10.2.22-3.14.1
fixed
mariadb-client
suse enterprise sap 15
10.2.15-1.3
fixed
suse enterprise sap 15 SP1
10.2.22-3.14.1
fixed
suse enterprise server 15
10.2.15-1.3
fixed
suse enterprise server 15 SP1
10.2.22-3.14.1
fixed
mariadb-errormessages
suse enterprise sap 15
10.2.15-1.3
fixed
suse enterprise sap 15 SP1
10.2.22-3.14.1
fixed
suse enterprise server 15
10.2.15-1.3
fixed
suse enterprise server 15 SP1
10.2.22-3.14.1
fixed
mariadb-tools
suse enterprise sap 15
10.2.15-1.3
fixed
suse enterprise sap 15 SP1
10.2.22-3.14.1
fixed
suse enterprise server 15
10.2.15-1.3
fixed
suse enterprise server 15 SP1
10.2.22-3.14.1
fixed
mariadb104
suse enterprise server 15 SP1
10.4.30-150100.3.5.10
fixed
mariadb104-bench
suse enterprise server 15 SP1
10.4.30-150100.3.5.10
fixed
mariadb104-client
suse enterprise server 15 SP1
10.4.30-150100.3.5.10
fixed
mariadb104-errormessages
suse enterprise server 15 SP1
10.4.30-150100.3.5.10
fixed
mariadb104-galera
suse enterprise server 15 SP1
10.4.30-150100.3.5.10
fixed
mariadb104-rpm-macros
suse enterprise server 15 SP1
10.4.30-150100.3.5.10
fixed
mariadb104-test
suse enterprise server 15 SP1
10.4.30-150100.3.5.10
fixed
mariadb104-tools
suse enterprise server 15 SP1
10.4.30-150100.3.5.10
fixed
python3-mysqlclient
suse enterprise server 15 SP1
1.4.6-150100.3.3.7
fixed
Common Weakness Enumeration
References
http://seclists.org/fulldisclosure/2012/Dec/58
http://seclists.org/fulldisclosure/2012/Dec/83
http://seclists.org/oss-sec/2012/q4/424
http://secunia.com/advisories/53372
http://security.gentoo.org/glsa/glsa-201308-06.xml
http://www.mandriva.com/security/advisories?name=MDVSA-2013:102
https://bugzilla.redhat.com/show_bug.cgi?id=883719
https://mariadb.atlassian.net/browse/MDEV-3915
http://seclists.org/fulldisclosure/2012/Dec/58
http://seclists.org/fulldisclosure/2012/Dec/83
http://seclists.org/oss-sec/2012/q4/424
http://secunia.com/advisories/53372
http://security.gentoo.org/glsa/glsa-201308-06.xml
http://www.mandriva.com/security/advisories?name=MDVSA-2013:102
https://bugzilla.redhat.com/show_bug.cgi?id=883719
https://mariadb.atlassian.net/browse/MDEV-3915