CVE-2012-5615
MySQL - Remote User Enumeration
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
2Exploited in Wild
-Decision
Descriptions
Oracle MySQL 5.5.38 and earlier, 5.6.19 and earlier, and MariaDB 5.5.28a, 5.3.11, 5.2.13, 5.1.66, and possibly other versions, generates different error messages with different time delays depending on whether a user name exists, which allows remote attackers to enumerate valid usernames.
MySQL v5.5.19 y posiblemente otras versiones, y MariaDB v5.5.28a, v5.3.11, v5.2.13, v5.1.66, y posiblemente con otras versiones, generan mensajes de error diferentes con retardos de tiempo diferentes dependiendo de si existe un nombre de usuario, lo que permite atacantes remotos para enumerar los nombres de usuario vĂ¡lidos.
Multiple security issues were discovered in MySQL and this update includes a new upstream MySQL version to fix these issues. MySQL has been updated to 5.5.40. In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2012-10-24 CVE Reserved
- 2012-12-02 First Exploit
- 2012-12-03 CVE Published
- 2024-08-06 CVE Updated
- 2025-04-03 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-209: Generation of Error Message Containing Sensitive Information
CAPEC
References (15)
| URL | Tag | Source |
|---|---|---|
| http://seclists.org/fulldisclosure/2012/Dec/9 | Mailing List |
|
| http://secunia.com/advisories/53372 | Third Party Advisory | |
| http://www.openwall.com/lists/oss-security/2012/12/02/3 | Mailing List |
|
| http://www.openwall.com/lists/oss-security/2012/12/02/4 | Mailing List |
|
| http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html | X_refsource_confirm |
|
| http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html | X_refsource_confirm |
|
| https://mariadb.atlassian.net/browse/MDEV-3909 | X_refsource_confirm |
| URL | Date | SRC |
|---|---|---|
| https://www.exploit-db.com/exploits/23081 | 2012-12-02 | |
| https://www.exploit-db.com/exploits/23073 | 2012-12-02 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Mariadb Search vendor "Mariadb" | Mariadb Search vendor "Mariadb" for product "Mariadb" | 5.1.66 Search vendor "Mariadb" for product "Mariadb" and version "5.1.66" | - |
Affected
| ||||||
| Mariadb Search vendor "Mariadb" | Mariadb Search vendor "Mariadb" for product "Mariadb" | 5.2.13 Search vendor "Mariadb" for product "Mariadb" and version "5.2.13" | - |
Affected
| ||||||
| Mariadb Search vendor "Mariadb" | Mariadb Search vendor "Mariadb" for product "Mariadb" | 5.3.11 Search vendor "Mariadb" for product "Mariadb" and version "5.3.11" | - |
Affected
| ||||||
| Mariadb Search vendor "Mariadb" | Mariadb Search vendor "Mariadb" for product "Mariadb" | 5.5.28a Search vendor "Mariadb" for product "Mariadb" and version "5.5.28a" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Mysql Search vendor "Oracle" for product "Mysql" | 5.5.19 Search vendor "Oracle" for product "Mysql" and version "5.5.19" | - |
Affected
| ||||||