{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2012-12-03T00:00:00", "descriptions": [{"lang": "en", "value": "Oracle MySQL and MariaDB 5.5.x before 5.5.29, 5.3.x before 5.3.12, and 5.2.x before 5.2.14 does not modify the salt during multiple executions of the change_user command within the same connection which makes it easier for remote authenticated users to conduct brute force password guessing attacks."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2014-02-10T22:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "20121203 MySQL Local/Remote FAST Account Password Cracking", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2012/Dec/58"}, {"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=883719"}, {"name": "20121205 Re: MySQL Local/Remote FAST Account Password\tCracking", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2012/Dec/83"}, {"name": "[oss-security] 20121206 Re: CVE request: Mysql/Mariadb insecure salt-usage", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://seclists.org/oss-sec/2012/q4/424"}, {"name": "MDVSA-2013:102", "tags": ["vendor-advisory", "x_refsource_MANDRIVA"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:102"}, {"name": "53372", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/53372"}, {"name": "GLSA-201308-06", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "http://security.gentoo.org/glsa/glsa-201308-06.xml"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://mariadb.atlassian.net/browse/MDEV-3915"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T21:14:16.152Z"}, "title": "CVE Program Container", "references": [{"name": "20121203 MySQL Local/Remote FAST Account Password Cracking", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2012/Dec/58"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=883719"}, {"name": "20121205 Re: MySQL Local/Remote FAST Account Password\tCracking", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2012/Dec/83"}, {"name": "[oss-security] 20121206 Re: CVE request: Mysql/Mariadb insecure salt-usage", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://seclists.org/oss-sec/2012/q4/424"}, {"name": "MDVSA-2013:102", "tags": ["vendor-advisory", "x_refsource_MANDRIVA", "x_transferred"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:102"}, {"name": "53372", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/53372"}, {"name": "GLSA-201308-06", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "http://security.gentoo.org/glsa/glsa-201308-06.xml"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://mariadb.atlassian.net/browse/MDEV-3915"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2012-5627", "datePublished": "2013-10-01T17:00:00", "dateReserved": "2012-10-24T00:00:00", "dateUpdated": "2024-08-06T21:14:16.152Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*", "matchCriteriaId": "E0A38E75-F13D-4DF1-96A3-26C41F9AB66C", "versionEndExcluding": "5.5.29", "versionStartIncluding": "5.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*", "matchCriteriaId": "F26667EE-39AA-4BA1-B40D-37FBCB43B50B", "versionEndExcluding": "5.2.14", "versionStartIncluding": "5.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*", "matchCriteriaId": "607658C7-318E-489B-926C-0B818EA172F0", "versionEndExcluding": "5.3.12", "versionStartIncluding": "5.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*", "matchCriteriaId": "9B845EAE-A675-4A46-A01C-0F8C253EE7ED", "versionEndExcluding": "5.5.29", "versionStartIncluding": "5.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mariadb:mariadb:10.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "3553190A-1EA3-4FDC-838C-1AF34A0D5D1A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Oracle MySQL and MariaDB 5.5.x before 5.5.29, 5.3.x before 5.3.12, and 5.2.x before 5.2.14 does not modify the salt during multiple executions of the change_user command within the same connection which makes it easier for remote authenticated users to conduct brute force password guessing attacks."}, {"lang": "es", "value": "Oracle MySQL y MariaDB 5.5.x anteriores a 5.5.29, 5.3.x anteriores a 5.3.12, y 5.2.x anteriores a 5.2.14 no modifican el \"salt\" durante m\u00faltiples ejecuciones del comando change_user en una misma conexi\u00f3n, lo cual facilita a usuarios remotamente autenticados ejecutar ataques de adivinaci\u00f3n de contrase\u00f1a por fuerza bruta."}], "id": "CVE-2012-5627", "lastModified": "2022-08-29T20:56:14.187", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2013-10-01T17:55:03.383", "references": [{"source": "secalert@redhat.com", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2012/Dec/58"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2012/Dec/83"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/oss-sec/2012/q4/424"}, {"source": "secalert@redhat.com", "tags": ["Not Applicable"], "url": "http://secunia.com/advisories/53372"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory", "VDB Entry"], "url": "http://security.gentoo.org/glsa/glsa-201308-06.xml"}, {"source": "secalert@redhat.com", "tags": ["Broken Link"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:102"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=883719"}, {"source": "secalert@redhat.com", "tags": ["Broken Link", "Vendor Advisory"], "url": "https://mariadb.atlassian.net/browse/MDEV-3915"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "mysql: efficient password guessing attack using change_user()", "id": "883719", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=883719"}, "csaw": false, "cvss": {"cvss_base_score": "2.6", "cvss_scoring_vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "draft"}, "details": ["Oracle MySQL and MariaDB 5.5.x before 5.5.29, 5.3.x before 5.3.12, and 5.2.x before 5.2.14 does not modify the salt during multiple executions of the change_user command within the same connection which makes it easier for remote authenticated users to conduct brute force password guessing attacks."], "name": "CVE-2012-5627", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Will not fix", "package_name": "mysql", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Will not fix", "package_name": "mysql", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2012-12-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2012-5627\nhttps://nvd.nist.gov/vuln/detail/CVE-2012-5627"], "statement": "Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", "threat_severity": "Low"}