Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2012-2122

Overview

Vulnerability Score 5.1 5.1
CVE Id CVE-2012-2122
Last Modified 20 Feb 2014 11:50:38
Published 26 Jun 2012 02:55:05
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity HIGH
Authentication NONE

CVE-2012-2122

Summary

sql/password.c in Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.24, and 5.6.x before 5.6.6, and MariaDB 5.1.x before 5.1.62, 5.2.x before 5.2.12, 5.3.x before 5.3.6, and 5.5.x before 5.5.23, when running in certain environments with certain implementations of the memcmp function, allows remote attackers to bypass authentication by repeatedly authenticating with the same incorrect password, which eventually causes a token comparison to succeed due to an improperly-checked return value.

Vulnerable Systems

Application

  • Mariadb 5.1.41

  • Mariadb 5.1.42

  • Mariadb 5.1.44

  • Mariadb 5.1.47

  • Mariadb 5.1.49

  • Mariadb 5.1.50

  • Mariadb 5.1.51

  • Mariadb 5.1.53

  • Mariadb 5.1.55

  • Mariadb 5.1.60

  • Mariadb 5.1.61

  • Mariadb 5.2.0

  • Mariadb 5.2.1

  • Mariadb 5.2.10

  • Mariadb 5.2.11

  • Mariadb 5.2.2

  • Mariadb 5.2.3

  • Mariadb 5.2.4

  • Mariadb 5.2.5

  • Mariadb 5.2.6

  • Mariadb 5.2.7

  • Mariadb 5.2.8

  • Mariadb 5.2.9

  • Mariadb 5.3.0

  • Mariadb 5.3.1

  • Mariadb 5.3.2

  • Mariadb 5.3.3

  • Mariadb 5.3.4

  • Mariadb 5.3.5

  • Mariadb 5.3.6

  • Mariadb 5.5.20

  • Mariadb 5.5.21

  • Mariadb 5.5.22

  • Oracle Mysql 5.1.51

  • Oracle Mysql 5.1.52

  • Oracle Mysql 5.1.53

  • Oracle Mysql 5.1.54

  • Oracle Mysql 5.1.55

  • Oracle Mysql 5.1.56

  • Oracle Mysql 5.1.57

  • Oracle Mysql 5.1.58

  • Oracle Mysql 5.1.59

  • Oracle Mysql 5.1.60

  • Oracle Mysql 5.1.61

  • Oracle Mysql 5.5.10

  • Oracle Mysql 5.5.11

  • Oracle Mysql 5.5.12

  • Oracle Mysql 5.5.13

  • Oracle Mysql 5.5.14

  • Oracle Mysql 5.5.15

  • Oracle Mysql 5.5.16

  • Oracle Mysql 5.5.17

  • Oracle Mysql 5.5.18

  • Oracle Mysql 5.5.19

  • Oracle Mysql 5.5.20

  • Oracle Mysql 5.5.21

  • Oracle Mysql 5.6.2

  • Oracle Mysql 5.6.3

  • Oracle Mysql 5.6.4

  • Oracle Mysql 5.6.5


References

MISC - https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql

BID - 53911

EXPLOIT-DB - 19092

SECTRACK - 1027143

SECUNIA - 49417

MLIST - [oss-security] 20120609 Security vulnerability in MySQL/MariaDB sql/password.c

CONFIRM - http://kb.askmonty.org/en/mariadb-5162-release-notes/

MISC - http://bugs.mysql.com/bug.php?id=64884

SUSE - SUSE-SU-2012:0984

GENTOO - GLSA-201308-06

SECUNIA - 53372

Related Patches

Novell SUSE 2012:6613 libmysqlclient-devel security update for SLE 11 SP1 i586

Novell SUSE 2012:6613 libmysqlclient-devel security update for SLE 11 SP1 x86_64


Last Updated: 27 May 2016 10:56:35