Description

sql/password.c in Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.24, and 5.6.x before 5.6.6, and MariaDB 5.1.x before 5.1.62, 5.2.x before 5.2.12, 5.3.x before 5.3.6, and 5.5.x before 5.5.23, when running in certain environments with certain implementations of the memcmp function, allows remote attackers to bypass authentication by repeatedly authenticating with the same incorrect password, which eventually causes a token comparison to succeed due to an improperly-checked return value.

Remediation

References

CVE-2012-2122

Related Vulnerabilities

MediaWiki Improper Access Control Vulnerability (CVE-2016-6336)

Apache HTTP Server Use of Uninitialized Resource Vulnerability (CVE-2020-1934)

XWiki Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2023-45137)

Joomla Improper Link Resolution Before File Access ('Link Following') Vulnerability (CVE-2008-3227)

OpenSSL Improper Certificate Validation Vulnerability (CVE-2021-3450)

Severity

Medium

Classification

CVE-2012-2122 CWE-287

Tags

Missing Update Known Vulnerabilities