CVE-2012-5615
MySQL - Remote User Enumeration
Severity Score
5.0
*CVSS v2
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
2
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Oracle MySQL 5.5.38 and earlier, 5.6.19 and earlier, and MariaDB 5.5.28a, 5.3.11, 5.2.13, 5.1.66, and possibly other versions, generates different error messages with different time delays depending on whether a user name exists, which allows remote attackers to enumerate valid usernames.
MySQL v5.5.19 y posiblemente otras versiones, y MariaDB v5.5.28a, v5.3.11, v5.2.13, v5.1.66, y posiblemente con otras versiones, generan mensajes de error diferentes con retardos de tiempo diferentes dependiendo de si existe un nombre de usuario, lo que permite atacantes remotos para enumerar los nombres de usuario vĂ¡lidos.
Oracle MySQL suffers from a user enumeration vulnerability. This is a utility that demonstrates the issue.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2012-10-24 CVE Reserved
- 2012-12-02 First Exploit
- 2012-12-03 CVE Published
- 2024-08-06 CVE Updated
- 2024-10-29 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-209: Generation of Error Message Containing Sensitive Information
CAPEC
References (15)
URL | Tag | Source |
---|---|---|
http://seclists.org/fulldisclosure/2012/Dec/9 | Mailing List | |
http://secunia.com/advisories/53372 | Third Party Advisory | |
http://www.openwall.com/lists/oss-security/2012/12/02/3 | Mailing List | |
http://www.openwall.com/lists/oss-security/2012/12/02/4 | Mailing List | |
http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html | X_refsource_confirm | |
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html | X_refsource_confirm | |
https://mariadb.atlassian.net/browse/MDEV-3909 | X_refsource_confirm |
URL | Date | SRC |
---|---|---|
https://www.exploit-db.com/exploits/23081 | 2012-12-02 | |
https://www.exploit-db.com/exploits/23073 | 2012-12-02 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Mariadb Search vendor "Mariadb" | Mariadb Search vendor "Mariadb" for product "Mariadb" | 5.1.66 Search vendor "Mariadb" for product "Mariadb" and version "5.1.66" | - |
Affected
| ||||||
Mariadb Search vendor "Mariadb" | Mariadb Search vendor "Mariadb" for product "Mariadb" | 5.2.13 Search vendor "Mariadb" for product "Mariadb" and version "5.2.13" | - |
Affected
| ||||||
Mariadb Search vendor "Mariadb" | Mariadb Search vendor "Mariadb" for product "Mariadb" | 5.3.11 Search vendor "Mariadb" for product "Mariadb" and version "5.3.11" | - |
Affected
| ||||||
Mariadb Search vendor "Mariadb" | Mariadb Search vendor "Mariadb" for product "Mariadb" | 5.5.28a Search vendor "Mariadb" for product "Mariadb" and version "5.5.28a" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Mysql Search vendor "Oracle" for product "Mysql" | 5.5.19 Search vendor "Oracle" for product "Mysql" and version "5.5.19" | - |
Affected
|