CVE-2012-5615

Oracle MySQL <5.5.38 & MariaDB <5.5.28a - Info Disclosure

Title source: llm

Description

Oracle MySQL 5.5.38 and earlier, 5.6.19 and earlier, and MariaDB 5.5.28a, 5.3.11, 5.2.13, 5.1.66, and possibly other versions, generates different error messages with different time delays depending on whether a user name exists, which allows remote attackers to enumerate valid usernames.

Exploits (2)

exploitdb WORKING POC VERIFIED

by kingcope · textremotewindows

https://www.exploit-db.com/exploits/23073

View Code ZIP pw:eip

exploitdb SCANNER VERIFIED

by kingcope · perlremotemultiple

https://www.exploit-db.com/exploits/23081

View Code ZIP pw:eip

References (11)

[Mailing List] http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00000.html

[Third Party Advisory] http://secunia.com/advisories/53372

[Third Party Advisory] http://security.gentoo.org/glsa/glsa-201308-06.xml

[Vendor Advisory] http://www.mandriva.com/security/advisories?name=MDVSA-2013:102

[Vendor Advisory] http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html

[Various Sources] https://mariadb.atlassian.net/browse/MDEV-3909

[Mailing List] http://www.openwall.com/lists/oss-security/2012/12/02/3

[Mailing List] http://www.openwall.com/lists/oss-security/2012/12/02/4

[Mailing List] http://seclists.org/fulldisclosure/2012/Dec/9

[Vendor Advisory] http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html

[Mailing List] http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00016.html

Scores

EPSS 0.2066

EPSS Percentile 95.5%

Classification

CWE

CWE-200

Status draft

Affected Products (5)

mariadb/mariadb

mariadb/mariadb

mariadb/mariadb

mariadb/mariadb

oracle/mysql

Timeline

Published Dec 03, 2012

Tracked Since Feb 18, 2026