sql/password.c in Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.24, and 5.6.x before 5.6.6, and MariaDB 5.1.x before 5.1.62, 5.2.x before 5.2.12, 5.3.x before 5.3.6, and 5.5.x before 5.5.23, when running in certain environments with certain implementations of the memcmp function, allows remote attackers to bypass authentication by repeatedly authenticating with the same incorrect password, which eventually causes a token comparison to succeed due to an improperly-checked return value.
Published 2012-06-26 18:55:05
Updated 2014-02-21 04:50:38
Source Red Hat, Inc.
View at NVD,   CVE.org
Vulnerability category: BypassGain privilege

Products affected by CVE-2012-2122

Threat overview for CVE-2012-2122

Top countries where our scanners detected CVE-2012-2122
Top open port discovered on systems with this issue 21
IPs affected by CVE-2012-2122 1
Find out if you* are affected by CVE-2012-2122!
*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2012-2122

96.79%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2012-2122

  • MySQL Authentication Bypass Password Dump
    Disclosure Date: 2012-06-09
    First seen: 2020-04-26
    auxiliary/scanner/mysql/mysql_authbypass_hashdump
    This module exploits a password bypass vulnerability in MySQL in order to extract the usernames and encrypted password hashes from a MySQL server. These hashes are stored as loot for later cracking. Impacts MySQL versions: - 5.1.x before 5.1.63 - 5.5

CVSS scores for CVE-2012-2122

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
5.1
MEDIUM AV:N/AC:H/Au:N/C:P/I:P/A:P
4.9
6.4
NIST

CWE ids for CVE-2012-2122

  • When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
    Assigned by: nvd@nist.gov (Primary)

References for CVE-2012-2122

Jump to
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!