#VU43280 Information disclosure in MariaDB and mysql - CVE-2012-5615
Published: December 3, 2012 / Updated: August 11, 2020
Vulnerability identifier: #VU43280
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green
CVE-ID: CVE-2012-5615
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vulnerable software:
MariaDB
mysql
MariaDB
mysql
Software vendor:
MariaDB Foundation
Google
MariaDB Foundation
Description
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
Oracle MySQL 5.5.38 and earlier, 5.6.19 and earlier, and MariaDB 5.5.28a, 5.3.11, 5.2.13, 5.1.66, and possibly other versions, generates different error messages with different time delays depending on whether a user name exists, which allows remote attackers to enumerate valid usernames.
Remediation
Install update from vendor's website.
External links
- http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00000.html
- http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00016.html
- http://seclists.org/fulldisclosure/2012/Dec/9
- http://secunia.com/advisories/53372
- http://security.gentoo.org/glsa/glsa-201308-06.xml
- http://www.mandriva.com/security/advisories?name=MDVSA-2013:102
- http://www.openwall.com/lists/oss-security/2012/12/02/3
- http://www.openwall.com/lists/oss-security/2012/12/02/4
- http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
- http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
- https://mariadb.atlassian.net/browse/MDEV-3909