Description

sql/password.c in Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.24, and 5.6.x before 5.6.6, and MariaDB 5.1.x before 5.1.62, 5.2.x before 5.2.12, 5.3.x before 5.3.6, and 5.5.x before 5.5.23, when running in certain environments with certain implementations of the memcmp function, allows remote attackers to bypass authentication by repeatedly authenticating with the same incorrect password, which eventually causes a token comparison to succeed due to an improperly-checked return value.

Remediation

References

CVE-2012-2122

Related Vulnerabilities

Apache HTTP Server CVE-2012-0883 Vulnerability (CVE-2012-0883)

phpMyFAQ Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2005-3046)

PHP Uncontrolled Resource Consumption Vulnerability (CVE-2015-9253)

Moodle Other Vulnerability (CVE-2004-2237)

Jboss EAP Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-2582)

Severity

Medium

Classification

CVE-2012-2122 CWE-287

Tags

Missing Update Known Vulnerabilities