CVE-2012-4414

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Multiple SQL injection vulnerabilities in the replication code in Oracle MySQL possibly before 5.5.29, and MariaDB 5.1.x through 5.1.62, 5.2.x through 5.2.12, 5.3.x through 5.3.7, and 5.5.x through 5.5.25, allow remote authenticated users to execute arbitrary SQL commands via vectors related to the binary log. NOTE: as of 20130116, Oracle has not commented on claims from a downstream vendor that the fix in MySQL 5.5.29 is incomplete.

References

http://bugs.mysql.com/bug.php?id=66550

http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00000.html

http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00002.html

http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00013.html

http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00020.html

http://www.mandriva.com/security/advisories?name=MDVSA-2013:102

http://www.mandriva.com/security/advisories?name=MDVSA-2013:150

http://www.mysqlperformanceblog.com/2013/01/13/cve-2012-4414-in-mysql-5-5-29-and-percona-server-5-5-29/

http://www.openwall.com/lists/oss-security/2012/09/11/4

http://www.securityfocus.com/bid/55498

https://bugzilla.redhat.com/show_bug.cgi?id=852144

https://mariadb.atlassian.net/browse/MDEV-382

Details

Source: MITRE

Published: 2013-01-22

Updated: 2013-12-05

Type: CWE-89

Risk Information

CVSS v2

Base Score: 6.5

Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 8

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:oracle:mysql:5.1.51:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.52:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.52:sp1:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.53:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.54:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.55:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.56:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.57:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.58:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.59:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.60:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.61:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.62:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.63:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.64:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.65:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.66:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.1.67:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.5.10:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.5.11:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.5.12:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.5.13:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.5.14:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.5.15:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.5.16:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.5.17:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.5.18:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.5.19:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.5.20:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.5.21:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.5.22:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.5.23:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.5.24:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.5.25:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.5.25:a:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.5.26:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:5.5.27:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:* versions up to 5.5.28 (inclusive)

Configuration 2

OR

cpe:2.3:a:mariadb:mariadb:5.1.41:*:*:*:*:*:*:*

cpe:2.3:a:mariadb:mariadb:5.1.42:*:*:*:*:*:*:*

cpe:2.3:a:mariadb:mariadb:5.1.44:*:*:*:*:*:*:*

cpe:2.3:a:mariadb:mariadb:5.1.47:*:*:*:*:*:*:*

cpe:2.3:a:mariadb:mariadb:5.1.49:*:*:*:*:*:*:*

cpe:2.3:a:mariadb:mariadb:5.1.50:*:*:*:*:*:*:*

cpe:2.3:a:mariadb:mariadb:5.1.51:*:*:*:*:*:*:*

cpe:2.3:a:mariadb:mariadb:5.1.53:*:*:*:*:*:*:*

cpe:2.3:a:mariadb:mariadb:5.1.55:*:*:*:*:*:*:*

cpe:2.3:a:mariadb:mariadb:5.1.60:*:*:*:*:*:*:*

cpe:2.3:a:mariadb:mariadb:5.1.61:*:*:*:*:*:*:*

cpe:2.3:a:mariadb:mariadb:5.1.62:*:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:a:mariadb:mariadb:5.2.0:*:*:*:*:*:*:*

cpe:2.3:a:mariadb:mariadb:5.2.1:*:*:*:*:*:*:*

cpe:2.3:a:mariadb:mariadb:5.2.2:*:*:*:*:*:*:*

cpe:2.3:a:mariadb:mariadb:5.2.3:*:*:*:*:*:*:*

cpe:2.3:a:mariadb:mariadb:5.2.4:*:*:*:*:*:*:*

cpe:2.3:a:mariadb:mariadb:5.2.5:*:*:*:*:*:*:*

cpe:2.3:a:mariadb:mariadb:5.2.6:*:*:*:*:*:*:*

cpe:2.3:a:mariadb:mariadb:5.2.7:*:*:*:*:*:*:*

cpe:2.3:a:mariadb:mariadb:5.2.8:*:*:*:*:*:*:*

cpe:2.3:a:mariadb:mariadb:5.2.9:*:*:*:*:*:*:*

cpe:2.3:a:mariadb:mariadb:5.2.10:*:*:*:*:*:*:*

cpe:2.3:a:mariadb:mariadb:5.2.11:*:*:*:*:*:*:*

cpe:2.3:a:mariadb:mariadb:5.2.12:*:*:*:*:*:*:*

Configuration 4

OR

cpe:2.3:a:mariadb:mariadb:5.3.0:*:*:*:*:*:*:*

cpe:2.3:a:mariadb:mariadb:5.3.1:*:*:*:*:*:*:*

cpe:2.3:a:mariadb:mariadb:5.3.2:*:*:*:*:*:*:*

cpe:2.3:a:mariadb:mariadb:5.3.3:*:*:*:*:*:*:*

cpe:2.3:a:mariadb:mariadb:5.3.4:*:*:*:*:*:*:*

cpe:2.3:a:mariadb:mariadb:5.3.5:*:*:*:*:*:*:*

cpe:2.3:a:mariadb:mariadb:5.3.6:*:*:*:*:*:*:*

cpe:2.3:a:mariadb:mariadb:5.3.7:*:*:*:*:*:*:*

Configuration 5

OR

cpe:2.3:a:mariadb:mariadb:5.5.20:*:*:*:*:*:*:*

cpe:2.3:a:mariadb:mariadb:5.5.21:*:*:*:*:*:*:*

cpe:2.3:a:mariadb:mariadb:5.5.22:*:*:*:*:*:*:*

cpe:2.3:a:mariadb:mariadb:5.5.23:*:*:*:*:*:*:*

cpe:2.3:a:mariadb:mariadb:5.5.24:*:*:*:*:*:*:*

cpe:2.3:a:mariadb:mariadb:5.5.25:*:*:*:*:*:*:*

Tenable Plugins

View all (8 total)

IDNameProductFamilySeverity
9277MariaDB Server 5.5.x < 5.5.33 / 5.6.x < 5.6.13 SQL InjectionNessus Network MonitorDatabase
medium
75141openSUSE Security Update : mariadb (openSUSE-SU-2013:0011-1)NessusSuSE Local Security Checks
medium
75036openSUSE Security Update : mariadb (openSUSE-SU-2013:0014-1)NessusSuSE Local Security Checks
medium
66215Ubuntu 10.04 LTS / 11.10 / 12.04 LTS / 12.10 : mysql-5.1, mysql-5.5, mysql-dfsg-5.1 vulnerabilities (USN-1807-1)NessusUbuntu Local Security Checks
high
66114Mandriva Linux Security Advisory : mariadb (MDVSA-2013:102)NessusMandriva Local Security Checks
high
64503MySQL Binary Log SQL InjectionNessusDatabases
medium
64502MariaDB Binary Log SQL InjectionNessusDatabases
medium
64421FreeBSD : mysql/mariadb/percona server -- multiple vulnerabilities (8c773d7f-6cbb-11e2-b242-c8600054b392)NessusFreeBSD Local Security Checks
medium