CVE-2012-5615

high

Description

Oracle MySQL 5.5.38 and earlier, 5.6.19 and earlier, and MariaDB 5.5.28a, 5.3.11, 5.2.13, 5.1.66, and possibly other versions, generates different error messages with different time delays depending on whether a user name exists, which allows remote attackers to enumerate valid usernames.

References

https://mariadb.atlassian.net/browse/MDEV-3909

http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html

http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html

http://www.openwall.com/lists/oss-security/2012/12/02/4

http://www.openwall.com/lists/oss-security/2012/12/02/3

http://www.mandriva.com/security/advisories?name=MDVSA-2013:102

http://security.gentoo.org/glsa/glsa-201308-06.xml

http://secunia.com/advisories/53372

http://seclists.org/fulldisclosure/2012/Dec/9

http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00016.html

http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00000.html

Details

Source: Mitre, NVD

Published: 2012-12-03

Updated: 2023-02-13

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Severity: High